Skip to main content

Keepnote Notes

Keepnote
Quite a while ago I decided to embark on the journey towards the OSCP certification.
One of the recommended applications for keeping notes during the penetration test of the lab environment and eventually the exam is the Keepnote application.

This blog post is just a few tips that I have compiled on my way towards successfully using Keepnote.

Keeping It Synchronized Across Systems
One of the first challenges that I have run into is the strategy for keeping a Keepnote notebook synchronized between computers. I suppose one option is to simply store and access the notebook from a USB key.  This doesn't work for me since my strategy concerning USB keys is to never walk away from a computer while a USB key remains inserted into it. This is especially important when you are in a work environment or other potentially hostile environment where your USB Key (or external drive) could be swiped or infected by a 3rd party etc..

I found that copying the Keepnote notebook between one computer and another is a challenge. You can't simply overwrite the notebook, it will eventually get corrupted. Then if you get in the habit of deleting the notebook first before copying in the modified notebook there is the challenge of ensuring that you don't replace a notebook with an older copy by accident.

What if you include the sourcecode for an exploit (or compiled file saved as an attachment) and your host’s antivirus handily wipes the file for you?

The solution that I have been using for a while now is to have an encrypted file store that I created using veracrypt and my Keepnote notebooks and all other exploit sourcecode and compiled code is saved in it. Then my synchronization strategy is simply to copy this encrypted file to my USB key and then to my other systems. I only open the encrypted file from a shared directory using veracrypt installed into my Kali VM. The host antivirus never sees the contents.

There is still some effort required to ensure that you are not replacing a newer encrypted file store with an older one but it is just one file. So it is easier to create a backup (rename) before copying in the new encrypted file store file.

Important Update: I discovered that the Keepnote corruption that I was still occasionally experiencing was due to an issue with the combination of using Veracrypt and a shared folder from VirtualBox. The solution is to always restart the Virtual Guest Kali machine between every instance of mounting the Veracrypt file store. See my post on the Veracrypt forums for more details: https://sourceforge.net/p/veracrypt/discussion/general/thread/7c67b68b/

What size of file store should you create? Well it is up to you but I have created mine at 500MB in size and so far I have been able to keep 3 separate Keepnote notebooks and all the scanning results from the OSCP labs, all my custom scripts, all the exploit sourcecode and compiled code, and numerous extra tools desired for post exploitation in this one encrypted file.

Emptying The Trash
Keepnote has this handy Trash-can that deleted notes and folders end up in. I have had situations where a deleted note (perhaps it was a copy of an existing note or simply had the same name as an existing note) when emptied from this Trash-can actually removed an existing note that I wanted to keep from within my notebook at the same time.

My solution is if you see stuff building up in this Trash-can and you want to remove it first exit Keepnote. Browse into the trash directory and delete everything besides the Keepnote file called node.xml.

Then when you restart Keepnote your trash is empty and you have not deleted anything from the notes that you want to keep within your notebook.

Corrupted Keepnote Notebook
You will eventually end up with a situation where the main node.xml or notebook.nbk file gets corrupted. It has occurred numerous times over the years for me.
Fortunately all that is required is to clear these files and leave an empty <node></node> (node.xml) or <notebook></notebook> (notebook.nbk) xml construct in the files. Then you can open the notebook again with Keepnote and continue on like nothing happened.

Opening A Keepnote Notebook
In Kali, opening the notebook.nbk file with Keepnote as the selected application using the file manager will open the notebook from a location where the Keepnote's own open dialog does not seem to work (typically the path or file is grayed out in the Keepnote file dialog).

Transferring Contents Of A Note
When attempting to transfer the contents of a note in Keepnote to a Microsoft Word document (like when you are trying to create your penetration test report) you will find that only text will copy, or only an image will copy. You need to copy the images separately from the note. That is what I experienced at least.

Additionally the text will have excessive space between lines that are pasted into Word unless you first copy the text to a notepad in Kali such as Geany.

Screenshots For Your Note In Keepnote
One thing that I have grown especially fond of in Kali is the key combination SHIFT-CTRL-PRINT SCRN. This allows you to select the area of the current display to capture as a screenshot. Then simply CTRL-V to paste the capture into a note in Keepnote.

If you need a screenshot of something in an RDP session on a target, click on the title bar of Kali near the Time/date at the top to take the focus out of the RDP session without bringing some other window to the foreground. Then SHIFT-CTRL-PRINT SCRN as usual and select the area of the display you wish to capture.

Caution
Sometimes when attempting to select an image (screenshot) in a note and delete it, Keepnote will attempt to delete the entire note. It will usually prompt you with a yes/no prompt which should be a heads up that something is happening that you need to pay attention to. Undo will not undelete an entire note. Since there is a Trash-can in Keepnote it should be possible to drag your deleted note back into your notebook if you happen to click yes without thinking.


Preparing A Terminal For A Screenshot
One key combination that I learned while observing instructional videos created for the SLAE64 training created by Vivek Ramashandran is the CTRL-L key combination. It will both clear the terminal console and move the current line to the top of the terminal. Then when you execute a command that you wish to capture in a screenshot none of the prior text is visible.




Comments

Post a Comment

Popular posts from this blog

PolyFlushIPTables1434

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification." http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/ Student ID: SLAE64-1434 Target Operating System : 64 bit Linux (x86_64 GNU/Linux) This blog post is part of Assignment 6: http://a41l4.blogspot.ca/2017/03/assignment-6.html The Original Version: http://shell-storm.org/shellcode/files/shellcode-683.php Original size: 50 bytes (don't believe what he says :) My Version: GitHub Link : https://github.com/rtaylor777/nasm/blob/master/PolyFlushIPTables1434.nasm Published : https://www.exploit-db.com/exploits/41503/ My version: Number of bytes = 47 Number of nulls = 0 PolyFlushIPTables1434.nasm  Intro This shellcode basically just executes /sbin/iptables -F without any other parameters. man iptables "-F, --flush [chain]               Flush ...
Post a Comment
Read more

PolySetuidExecve1434

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification." http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/ Student ID: SLAE64-1434 Target Operating System : 64 bit Linux (x86_64 GNU/Linux) This blog post is part of Assignment 6: http://a41l4.blogspot.ca/2017/03/assignment-6.html The Original Version: http://shell-storm.org/shellcode/files/shellcode-77.php My Version: GitHub Link : https://github.com/rtaylor777/nasm/blob/master/PolySetuidExecve1434.nasm Published : https://www.exploit-db.com/exploits/41498/ Original Shellcode bytes = 49 My version: Number of bytes = 31 Number of nulls = 0 PolySetuidExecve1434.nasm Intro This shellcode when executed will first setuid(0) and then execute /bin/sh and provide you with a shell. The purpose of calling setuid(0) is, suppose that you have managed to inject this shellcode into an executable that is Set-UID root. I...
Post a Comment
Read more
GIAC GXPN Review – SANS SEC660 (Advanced Penetration Testing, Exploit Writing, and Ethical Hacking)   Intro  SANS is a well respected and premier cyber security training company that employs industry experts as instructors. GIAC is a company that produces testing to validate the skills of security professionals. GIAC exams validate the learning outcomes of the SANS courses. Prerequisites Before attempting this course you should be familiar with penetration testing as this is an advanced course. I would say that you should also be familiar with assembly language and shellcoding. It would be best if you have studied basic stack overflow exploits prior to this course. You will need a basic understanding of programming in C or C++ (preferably both). Scripting using Python would be a useful prerequisite. If you could learn a bit of Ruby scripting it would help for the Metasploit module creation. Be familiar with various routing and networking protocols. Course Coverage This co...
Post a Comment
Read more