Penetration Testing with Kali Linux OffSec

Penetration Testing with Kali Linux
PWK - Copyright © 2023 OffSec Services Limited. All rights reserved. 
76 
The “kali@kali:~$” is what will appear on the screen for a user who is following along. Everything 
that appears in blue text (in this case, “ls -l chmodfix”) is a command that we can type into the 
terminal. The text that follows is the output. 
It’s also important to understand where the focus is, which brings us to 
the skill, not the tool
. 
If you are already familiar with chmod, you may have noticed that we chose one of many different 
methods to use this tool. We chose, for example, not to explore how the permissions for our 
script (before we were able to execute) could have been represented with the numerical 
expression 644, which we could have fixed by running chmod 755. 
Of course, it’s almost impossible to remember every specific command and syntax, and piling on 
too much information increases cognitive load, making it more difficult to remember the material 
later. Even the most experienced security researchers find themselves looking things up now and 
then, and so we encourage learners to focus on 
why
a command is being run versus what 
command is being run. 
Sometimes when new ideas are introduced or when there is an opportunity to learn more outside 
the text, we might introduce a footnote. Getting used to “leaving” the immediate problem in order 
to go do a bit of research is also a critical skill. There have been a number of footnotes in this 
module already, and they appear in numbered superscript in the text. 
Interleaving is inevitable with this type of hands-on training. As a quick reminder, in the context of 
education, interleaving is mixing of multiple subjects. In this case, we reviewed the touch, cat, and 
ls commands, even though they weren’t directly related to the things we were trying to study. 
They were, of course, related to our ability to modify chmod and our employee name script. 
Another way of thinking about this is that the OffSec training materials are organized around 
concepts
, not commands. 
Finally, teaching learners how to 
expect the unexpected
is not always easy to deliver. However, we 
often accomplish this by taking an indirect route to our goal with the intention of realistically 
highlighting issues you may experience in the field. Again, we hope to convey the logic behind our 
decisions instead of simply presenting commands and syntax. 
In this example, we mentioned a potential pitfall with 
directory permissions
(in a sidebar). We also 
knew that ./chmodfix +x /usr/bin/chmod wouldn’t work, but we included it and ran it. We’ll often 
walk through “unexpected” scenarios when we present new Modules and we’ll include 
unexpected outcomes in many of our challenges. 
As students, it’s imperative that we grow comfortable being in situations we don’t fully 
understand and try things that might not work. The only way to really be prepared for the 
“unexpected” is to become comfortable in situations where we don’t know exactly how things will 
pan out. 
Not only this, but we cannot afford to avoid situations where we might feel stuck. In cyber 
security, it’s extremely rare that the first approach we try works. In order to accurately represent 
this field, OffSec’s approach is to teach the material in such a way that students can become 
more resilient and agile, working through a particular problem until we are “unstuck”. 
There is often more than one way to accomplish any goal, and we encourage you to attempt 
other paths to reaching the goals we present. A curious learner might ask if, in the example 
presented, we could solve the issue by simply running sudo chmod +x /usr/bin/chmod. This is 

Penetration Testing with Kali Linux
PWK - Copyright © 2023 OffSec Services Limited. All rights reserved. 
77 
exactly the sort of thinking that we encourage, and why many of the challenges are presented in a 
virtual environment where learners can experiment and try things. Trying out an approach that 
doesn’t work is also a valuable learning experience. 
This experiment-and-experiment-again mindset is at the heart of what we believe it takes to be 
highly successful in this field, and at the risk of being redundant, the goal of our training is always 
to teach the methodology and the mindset. 
4.5
Tactics and Common Methods 
Next, we need to think about strategy and tactics. Consider the following quote from Sun Tzu: 

Yüklə

Dostları ilə paylaş: