Category: Uncategorized

eJPT – Junior Penetration Tester


I am officially certified as a Junior Penetration Tester with eLearnSecurity. I must say I found their training to be excellent. Up until now most of the certification exams I’ve done have been from Cisco. I had never heard of eLearnSecurity until I came across them on the forums. I wanted to get into Penetration Testing for some time now as I had always been interested in how someone could break into a network or system. In the past, I have built my own PC and installed numerous OS systems directly on the hard drive or virtually using VMWare to test different things out and to see how they worked so Penetration Testing was a good fit for me I guess as I liked tinkering with things.

So what do you learn in the course? You can find the course at eLearnSecurity and a breakdown of each section and what modules they cover.

The first section is an introduction to networking, web applications and penetration testing. The second section is programming again this is an overview and doesn’t go too deep into it the programming languages covered are C++ and Python. The three section is all about penetration testing and the different phases of a penetration test. You also learn what tools to use here. And for me, the best part of the course is the access you get to the labs where you can learn how to use the tools, here you really get to know how to use them, nothing beats hands-on learning in my opinion.

In the exam, you get access to the exam lab for 3 days. You are given an exam guide and some information about the network you are going to be pen testing. You have 20 questions to answer based on the exam objectives. You need to gain access to servers, PCs, websites using all the tools and techniques you learned during your studies. Having access to the lab for 3 days is probably a bit too generous as it only took me 4-5hrs to gain access to the systems and find the answers to the questions. I must say I really enjoyed the exam as it was all hands on which is much better than 60-70 multiple choice questions like most of the Cisco exams I’ve done apart from the T-SHOOT exam for the CCNP R&S cert another exam I really enjoyed.

I would fully recommend eLearnSecurity as their course material is great and up to date with the latest tools and exploits. Next, I am going to tackle the PTPv5 course and exam to take my Pen Testing skills to the next level.


Practice with NMAP

If you would like to practice using NMAP commands, the nmap organization has made available a test site at You can use this as your target when learning how to use nmap.


Here I’m running a scan against the website and piping it to a file. The results of the scan are shown below.


Just don’t run continuous scans against the site, after all, it is a shared resource.


NMAP and fping deep dive (Part II)

This is a continuation of my previous post, NMAP and fping deep dive in that post I talked about fping and NMAP and how they worked at a basic level as NMAP, in particular, has a lot more parameters that you can use depending on the task at hand.

In this post I want to cover more of NMAPs capabilities and what commands we could use to discover more about the network and what potential vulnerabilities these hosts might have that could be used to exploit them.

In the last post we found out what hosts were alive on the network and we also found out what ports were open on those hosts. The next step is to find out what OS they’re running or at least get the best guess as to what it might be.

I am going to use the -sV (version) option and also the -O (OS fingerprinting option) to get more detail on the hosts. You don’t want to blindly attack a network without gathering all the information possible about your target or you run the risk of causing the target to crash because you ran the wrong tool against it. Information gathering is one of the most important parts of penetration testing.

As Abraham Lincoln once said, “Give me six hours to chop down a tree and I will spend the first four sharpening the axe.”

The first command to run is the -sV command that will give us more information on the ports that are open and what version the service is running.

Screenshot from 2018-05-27 12-24-44

The administrator might have changed the port to a non-standard port as is the case for the host at You can see the port is 81 but the service using that port is HTTP which is usually on port 80 also if you remember this is the host that did not respond to the ping sweep when using fping.

Screenshot from 2018-05-27 16-27-58

To build on this we can now run the -O command with nmap. This command will send special probes to try and figure out what OS is running, for example, IIS, Apache?

The command is $:nmap -O,6,48,96,99,100,213

Here instead of using /24 I am only running the OS scan on the hosts we already know are alive on the network, this saves us a lot of time as I am only concentrating the scan on specific hosts.

Screenshot from 2018-05-27 12-51-03

From the output you can see that host at is a Windows XP machine. From this, we could start to look for vulnerabilities on Windows XP for the services they’re running.

To summarise we started off not knowing what IP addresses were alive for this we used the fping tool and also nmap -sn command. We then ran more nmap commands to figure out what ports were open and also the versions of those open ports. Lastly, we ran the OS fingerprint command to try to figure out what OS the hosts were using.

I hope this was useful.

NMAP and fping deep dive

NMAP and fping are used for scanning and OS footprinting of a network during the information gathering phase of a penetration test.

It is always good to know how to use these tools but also to understand what they’re doing and how they work at a deeper level. So with that in mind, I am going to run these tools and at the same time capture what is going on the wire using Wireshark.

First, let us see how fping works vs the same scan ran using nmap and why the results might be different.

I will run fping on the network to see what hosts are alive. The command I will use is. #>fping -a -g 2>/dev/null

What are the additional parameters of -a and -g doing? The -a parameter is used to only report back hosts that are alive and the -g parameter is telling fping that it should carry out a ping sweep and not just a normal ping against one host. The 2>/dev/null parameter at the end of the command is sending err-out messages to the bit bucket so they’re not displayed while running the command.


After running the command we get the following 7 hosts responding to the ping sweep. Now I will run the same scan but this time using the nmap tool.

The nmap tool is a very powerful tool and it has a lot more capabilities compared to fping. To run the same scan that we did previously but now using nmap we run:

#>nmap -sn

The -sn parameter is requesting nmap to scan the subnet for hosts that are alive.


With the nmap scan we get back 8 hosts that are alive on the network vs the 7 reported by fping. That extra host is but why? Let us take a closer look at what fping is doing vs nmap using the -sn parameter.

fping will first send out arp requests for each host on the subnet it is scanning. If a host replies to the arp request with its MAC address fping will then take that IP address and send an ICMP echo request message to it (ping).


Shown above are the arp request and the arp reply. Next the fping tool sends an ICMP echo request to But if you look at the capture there is no response found! This host has probably been set up to not respond to ICMP messages.


If you compare this to one of the hosts that did reply the output would look like this with an echo request and an echo reply.


So the reason that fping does not show the in its scan results is down to the fact that the host is configured not to respond to the ICMP ping request which is perfectly normal and is a good security practice.

On the other hand, nmap reported it to be alive this is because the nmap -sn scan only sends arp requests out and if a host replies to it with its MAC address nmap marks that host to be alive.

As mentioned earlier nmap is a powerful tool. Let us look at what other scans it can do. Now we know what hosts are alive on the network but that is all we know which lets face it isn’t that much. To see what services (daemons) are running on these hosts we can run another command using nmap.

The command is #>nmap -sS

The -sS parameter is telling nmap to perform a TCP SYN scan which is a stealthier scan because it does not complete a TCP 3-way handshake. When a client wants to communicate with a web server, for example, it first completes a TCP 3-way handshake and then it will start exchanging data. This is usually logged by the web server daemon that a new connection has been made which is bad news for us as it might alert a sysadmin that someone is scanning their network.

A TCP 3-way handshake looks like this.


When running the TCP SYN scan instead of completing the 3-way handshake nmap will send an RST message in reply to the servers SYN/ACK message as shown below. This stops the connection completing and also from the web server daemon logging the connection.


The result of the nmap TCP SYN scan is shown below. It goes through each IP address and sends a SYN message to each well-known port to see if the server will reply with a SYN/ACK  message meaning that the port is open or a RST/ACK message meaning that the port is closed. For the IP of ports 22, 53 and 80 are all open.


That is it for now. I’ll go through more of the capabilities of nmap such as OS fingerprinting in my next post.

CCNA Cyber Ops

It has been a while since I have posted something on my blog. I’ve been busy studying for the CCNA Cyber Ops cert. Cisco created this certificate due to the serious lack of Cyber Security personal worldwide, Cisco will invest $10 Million into this program to close this gap. They opened up a CCNA Cyber Ops scholarship program which I applied for over a year ago now and I was successful in getting a place on the program (

The scholarship gives students access to an online portal where you get access to all the training material which include text slides, videos and labs for hands on training. Unlike most Cisco certifications the Cyber Ops certificate is mostly vendor neutral, yes Cisco equipment gets mentioned from time to time but most of the security tools used on the course are not Cisco such as Kali Linux, Security Onion, Burp, Wireshark, Bro, ELSA to name a few.

The certificate is broken into two exams the SECFND 210-250 exam and the SECOPS 210-255 exam.

The SECFND 210-250 exam topics are broken out into the following main areas:

  • Network Concepts
  • Security Concepts
  • Cryptography
  • Host-Based Analysis
  • Security Monitoring
  • Attack Methods

The SECOPS 210-255 exam topics are broken out into the following main areas:

  • Endpoint Threat Analysis and Computer Forensics
  • Network Intrusion Analysis
  • Incident Response
  • Data and Event Analysis
  • Incident Handling

I have to say that Cisco did a great job here and created a really interesting and engaging course. I hope they continue to develop this track into the CCNP level and beyond and that they stick to the vendor neutral delivery of this course.

I’ve now passed both exams and I’m officially CCNA Cyber Ops certified.

So what is next? I’ve started the PTSv3 course from eLearnSecurity which is a pentesting course and what I like about the course is that it is hands on learning in a lab environment and what is even better for me is the exam is hands on. You have 72 hours to carry out pentesting against designated targets. I think this is a great way to test you on what you have learned and I personally prefer this way of testing over just multiple choice questions.


CCNA Security 210-260 Passed

CCNA_security_largeOn Wednesday 6th of September, I passed the CCNA Sec 210-260 exam on my second attempt.

In my first attempt, I got 808 passing score is 860 so I wasn’t a million miles away from getting a pass. I am sort of glad that I did fail the exam on my first attempt as strange as that may seem. The reason being it showed me where I was weak and where I was strong. I went back over topics I didn’t score well in and really dug deep to understand them better. Like all Cisco exams, some of the questions were hard to understand what Cisco was actually asking or what is the correct “Cisco” answer.

I did better with my second attempt getting a score in the 900 range. So that extra study did the trick.

The resources I used:

OCG from Cisco. There has been a lot said about the book and I have to agree with what others have said. Why CPP is in the book I will never know. Also some topics are not covered in great detail but the questions asked in the exam expect you to have a better understanding.

CBT Nuggets – CCNA Security 210-260 course is very good and highly recommend it.

31 days before your CCNA Security exam which filled in some of the gaps from the OCG Book.

GNS3 for labs. The more labs you can do the better. You’ll get a better understanding of the technologies and also troubleshooting mistakes you make while setting up labs will help you learn. In GNS3 you can run the ASA, Switches, Routers, End hosts, Kali Linux to run attacks against your own topology.

What is next?

I have been accepted on the CCNA Cyber Ops Scholarship program. I start the cource on the 24th of September. I plan on updating this blog with what I am learning and how the course is going.

After that, I would like to do some pentesting courses maybe something from eLearning Security and then finish off with the gold standard OSCP cert.


Clientless SSL VPN Lab

In this post I’m going to setup a Clientless SSL VPN via the ASDM GUI and then connect to it via the TinyCore Linux PC all from GNS3.



I’m using the topology above. The nodes I’m using will be the ASA with the ASDM connected via the cloud from my local PC, if you want to know how to set the ASA up with access via the ASDM check out one of my other posts: How-To: ASA in GNS3 with ASDM

I’ll also be using R4 and the Remote Worker PC which is running a TinyCore Linux to test the Clientless SSL VPN.

Configure the Clientless SSL VPN on the ASAv via the ASDM GUI


When you log into the ASDM GUI you’ll get the main screen above. Click on Wizards > VPN Wizards > Clientless SSL VPN Wizard…


The Clientless SSL VPN Wizard window will pop up, click on Next. You’ll get the following window.


Here you need to give your Clientless SSL VPN a Connection Profile Name I’ve named this one SSL_Remote_Access and I’ve also selected the Interface that the SSL VPN will connect in on which is the Outside Interface (Internet). I don’t have my own digital certificate so I’m leaving the Certificate set to None, because of this the ASA will provide a self signed certificate. I’ve also given the Connection an Alias of SSL. Click on Next


The next step is to configure User Authentication you’ll have the choice to use an AAA server (which I dont have) or the Local User DB which I’ve selected. Select Authenticate using the local user database and add a new user, here I’m adding Homer once added click on Next

Step4_GroupPolThe next step is to setup a group policy or select an existing policy. Here I’ve setup a new policy called Remote_Users, this policy will inherit the DfltGrpPolicy attributes which I can change later if I need to. Click on Next


In the next step you can configure a list of bookmarks that the Remote users will be able to click on to access resources on the Corp LAN. Click on Manage > Add

Here you give the bookmark a name like EMAIL. Click on Add


You need to configure the IP address of the EMAIL server. I don’t have an email server in my lab but the bookmark will appear once I connect to the Clientless SSL VPN (hopefully).

step6_finish.pngThat is it, you’ll get a summary page click on Finish to send the config to the ASA.

With the ASA configured the next step is to configure R4 in my topology. I’ll have to give Gi0/1 an IP address ( and also a default route to send all traffic to the ASA using the command “ip route” as shown below.


Next configure the TinyCore Linux PC with an IP address in the same range as Gi0/1 I’ll use and set the default gateway to


To configure an IP address on the Linux PC click on Control Panel > Network

Set the IP address and the Gateway and click on Apply

It is always good practice to test the connectivity, open a Terminal Window in the Linux PC and ping the Gateway at


Now using the built-in Firefox browser on the Linux PC it is time to test the Clientless SSL VPN and see if we can connect to the Corp LAN. In the address bar enter the URL  configured earlier which is:


Looks good because this is a self signed certificate from the ASA the Firefox brower gives you a warning not to trust the site. Click on I Understand the Risks to continue. Once you accept the risk you will get the following login page.


Enter in the username and password in my case Homer.


Success !! I have logged in and as you can see the EMAIL bookmark I configured during the Clientless SSL VPN setup is there.

I hope you found this useful, get labbing and try it out for yourself.

Feedback always welcomed.

How-To: ASA in GNS3 with ASDM

After struggling to get the ASDM to work in GNS3 I thought it would be a good idea to write a blog post on how to get the ASA and ASDM working within GNS3.

Below is the ASAv image I am using and also the version of GNS3. Note if you want to run an ASAv image you must run it in GNS3VM and not in the GNS3 local.

ASA image: asav952-204.qcow2 (VIRL image)

GNS3VM Version: 2.0.0b3 on Windows

The GNS3 team have a great video showing you how to import the ASAv image into GNS3.

I would strongly recommend that you view that video.

They also recommend that you use the ASAv directly from Cisco’s VIRL software. A google search will get you the image you need.

I had a few issues getting the ASDM GUI working initially, note that you do NOT have to import the ASDM .bin file onto the ASA it is already on there even if you can’t see it when you do a dir, trust me it is!

Below is the topology I am using. Drag your newly imported ASAv image onto the workspace along with the GNS3 Ethernet Switch and the Cloud object. Connect the ASA Management 0/0 interface to the switch and then using another port on the switch connect it to the Cloud and select eth1 as the interface on the cloud, the eth1 interface should be bridged from VMware to your local machine.


Next, you need to configure the ASAv to get an IP address via DHCP and also activate the http server on the ASA and allow the IP that you get from DHCP to access the http server on the ASA.


When you go into enable mode it will ask you for a password don’t panic as you just press enter and it will continue into enable mode this is the default behaviour of the ASA. Go into configuration mode and configure the management interface as shown above.

Wait a minute and then run the #show ip command. As you can see in my setup I’ve been given an IP address of

Next, we need to enable http servers on the ASA to allow us to access it via the ASDM GUI.


The commands to do this are #http server enable and #http 0 0 mgmt. I cheated a bit by using the http 0 0 mgmt command. I could have said only allow the IP address or subnet of access the ASA via the ASDM. The command I used above is basically allowing any IP to connect to the ASA because this is just a lab that is fine you wouldn’t want to do this on a production ASA.

So you are all set now to access the ASA via the ASDM GUI. Open a webpage and enter the IP address that was assigned to your management interface via DHCP. NOTE you must use HTTPS:// after all it is a security device we are accessing here.

webpageYou will get a warning message when you first try to connect to it saying that it isn’t secure as the certificate is a self-signed certificate from the ASA and your browser will not recognise it as a trusted site. Just click on Advanced and add exception.


At this stage, you should get the following screen. Note you’ll need to have java installed on your machine to be able to run the ASDM. Select Install ASDM Launcher this will install an icon on your desktop so you can run the ASDM directly from there which will save you having to go via a webpage each time. When you start the ASDM launcher you’ll be asked to put in the IP address which will be the IP address that was assigned to the management interface. I didn’t set a username or password just click on connect.

You should be now logged in 🙂




ASA Lab with ASDM


It has been too long since my last post. I’ve been very busy in work and also studying away working towards CCNA security. I just wanted to show what my latest topology looks like that I will be using to study with doing as many labs as possible. Hopefully, this will grow over time.

The topology as full access to the Internet which is great.

And also the most important piece is I have the ASDM running from my browser on my PC 🙂 as you can see below.


This is a big deal as I will be able to configure the ASA from the ASDM and practice using it as much as possible.

I will probably add a zone-based router to the topology at some stage as well. The switches are vIOS switches which will allow me to do Port Security and DHCP Snooping etc.

If you have any questions on the setup let me know.

Note: The lab has been built using GNS3 version 2.0b3



Labs Labs Labs…

For me labs are the most important part of my pursuit of certification. I am a visual learner more than anything else and I find doing labs is a great way to learn and it also helps you remember topics and commands. Another important part is troubleshooting your lab, when you first configure something chances are it wont work fist time round so you have to think about what steps you have taken in configuring the lab and start troubleshooting the issues. What a great way to learn.

So what is the best way to practice using labs? The lab rental model is good if you don’t have the physical hardware, it can be expensive to buy and run in your own home lab, the other option is to run virtual labs on your own PC at home and its the one I use.

I built my own PC which was another great learning experience. It has a i5 Intel processor, with 16G of RAM, 250G SSD, ASRock Motherboard….I wont bore you with all the details but its a powerful enough machine.

So what is the best software out there to run on your own PC? I use a combination of software depending on what I am doing. I use Packet Tracer for every quick and basic labs. I also run GNS3 which is for more complex labs which I used a lot for my CCNP R&S certification exams.

But the latest one I am using is Unified Networking Labs or UNL for short. To run the UNL software you must use VMWare or VirtualBox and need a powerful PC depending on the complexity of the lab you want to run. You can download the software from if you are interested in trying it out.

So why UNL? Well it supports a lot of the security appliances you need to use for the CCNA Security exam. ACS, ASA, ASAv, Cisco Switches IOU, Cisco Routers to name a few. It is really important to get some hands on experience on the ASA in particular and also its GUI interface the ASDM.

Unified Network Labs

Below I will show you what it looks like and also setup the ASA and a Virtual Windows Machine to access the ASDM from all within the UNL system.

I wont go into detail on how to install the software as the UNL website does a really good job of that and also provides videos as well.

UNL Login Screen

Once you start the VMWare for UNL you log onto the system via your browser. Username/Password is admin/unl.

Once logged in you’ll get the following screen.


To create a new lab click on Actions and ‘Add a new lab’

After naming your lab and saving it it will appear in your list, double click on the lab and then select Open.


On the left hand side click the plus button to add an object and select node. Select ASAv from the list to add it to the lab, do this again and select Windows to add a virtual Windows machine. Next select the link icon to add a link between the nodes. asdm

Next step is to Start the nodes by right clicking on them and selecting Start. Now the fun begins configuring the ASAv and Windows machine so we can not only configure the ASAv via the CLI but also using the ASDM GUI.

First thing we need to do is configure the ASAv node. I am using putty here.


First step, configure the management interface that is connected to the Windows machine. Here I gave it an IP address of

I then enable http server and also told the ASA what network is allowed to connect to it.

What isn’t shown in the screen capture above is configuring a username and password to use via the ASDM. The command for this is:

#username admin password admin123 privilege 15

You also need to tell the ASDM how to authenticate the user and what database to use. I’m just using the local ASA one.

#aaa authenticate http console LOCAL

That is it ! now save your configuration using wr command.

Next the Windows machine. I connect to it via Remote Desktop Viewer (I run Linux on my home PC)


Nothing special here apart from the fact that you need to have the Windows machine on the same network as the ASA. Open up Network Connections and enter in an IP address in the subnet. I used

Once configured run a quick ping test.



Double click on the ASDM icon to launch the ASDM and configure the IP address as the IP address you gave the management interface on the ASAv in my case and the username/password of admin/admin123.



Bingo ! I am now connected to the ASAv via the ASDM GUI.

I hope you find this useful. Any questions just ask in the comments section.

NOTE: You need to download and install the different images you want to use in the UNL system via the Cisco website just like you have to do with GNS3. The UNL website has a HOW-TO guide on how to import them into the system.