May 8, 2021
Crash Course: Pentesting
Assuming that you have basic linux and networking knowledge. This post is also not meant to be a “be all end all” for penetration testing.
NMAP
nmap(network mapper) is one of the most important tools in a pen testers arsenal. It allows a pen tester to see which ports are open, and information about which services are running on those ports.
To specify which port(s) to scan?
-p
To do a “ping scan”(just tests if the host(s) is up)?
-sn
What is the flag for a UDP scan?
-sU
How do you run default scripts?
-sC
How do you enable “aggressive mode”(Enables OS detection, version detection, script scanning, and traceroute)
-A
What flag enables OS detection
-O
How do you get the versions of services running on the target machine
-sV
Netcat
Netcat aka nc is an extremely versatile tool. It allows users to connect to specific ports and send and receive data. It also allows machines to receive data and connections on specific ports, which makes nc a very popular tool to gain a Reverse Shell.
How do you listen for connections?
-l
How do you enable verbose mode(allows you to see who connected to you)?
-v
How do you specify a port to listen on
-p
How do you specify which program to execute after you connect to a host(One of the most infamous)?
-e
How do you connect to udp ports
-u
WEB enumeration — gobuster
One of the main problems of web penetration testing is not knowing where anything is. Basic reconnaissance can tell you where some files and directories are; however, some of the more hidden stuff is often hidden away from the eyes of users. This is where gobuster comes in, the idea behind gobuster is that it tries to find valid directories from a wordlist of possible directories. gobuster can also be used to valid subdomains using the same method.
How do you specify directory/file brute forcing mode?
dir
How do you specify dns bruteforcing mode?
dns
What flag sets extensions to be used?
Example: if the php extension is set, and the word is “admin” then gobuster will test admin.php against the webserver
-x
What flag sets a wordlist to be used?
-w
How do you set the Username for basic authentication(If the directory requires a username/password)?
-U
How do you set the password for basic authentication?
-P
How do you set which status codes gobuster will interpret as valid?
Example: 200,400,404,204
-s
How do you skip ssl certificate verification?
-k
How do you specify a User-Agent?
-a
How do you specify a HTTP header?
-H
What flag sets the URL to bruteforce?
-u
WEB enumeration — nikto
nikto is a popular web scanning tool that allows users to find common web vulnerabilities. It is commonly used to check for common CVE’s such as shellshock, and to get general information about the web server that you’re enumerating.
How do you specify which host to use?
-h
What flag disables ssl?
-nossl
How do you force ssl?
-ssl
How do you specify authentication(username + pass)?
-id
How do you select which plugin to use?
-plugins
Which plugin checks if you can enumerate apache users?
apache users
How do you update the plugin list
-update
How do you list all possible plugins to use
-list-plugins
Metasploit
Metasploit is one of the most popular penetration testing frameworks around. It contains a large database of almost every major CVE, which you can easily use against a machine.
What command allows you to search modules?
search
How do you select a module?
use
How do you display information about a specific module?
info
What command lets you view advanced options for a specific module?
advanced
How do you list options that you can set?
options
Once you have found the module for the specific machine that you want to exploit, you need to select it and set the proper options.
What command allows you to set options?
setWhat option sets the architecture to be exploited?
archWhat option sets the payload to be sent to the target machine?
payloadOnce you’ve finished setting all the required options, how do you run the exploit?
exploit
What flag do you set if you want the exploit to run in the background?
-j
How do you list all current sessions?
sessions
What flag allows you to go into interactive mode with a session(“drops you either into a meterpreter or regular shell”)
-i
Meterpreter
Once you’ve run the exploit, ideally it will give you one of two things, a regular command shell or a meterpreter shell. Meterpreter is metasploits own “control center” where you can do various things to interact with the machine. A list of commonmeterpreter commands and their uses can be found here
Note: Regular shells can usually be upgraded to meterpreter shells by using the module post/multi/manage/shell_to_meterpreter
What command allows you to download files from the machine?
download
What command allows you to upload files to the machine?
upload
How do you list all running processes?
ps
How do you change processes on the victim host(Ideally it will allow you to change users and gain the perms associated with that user)
migrate
What command lists files in the current directory on the remote machine?
ls
How do you execute a command on the remote host?
execute
What command starts an interactive shell on the remote host?
shell
How do you find files on the target host(Similar function to the linux command “find”)
search
How do you get the output of a file on the remote host?
cat
How do you put a meterpreter shell into “background mode”(allows you to run other msf modules while also keeping the meterpreter shell as a session)?
background
Hash cracking
Often times during a pen test, you will gain access to a database. When you investigate the database you will often find a users table, which contains usernames and often hashed passwords. It is often necessary to know how to crack hashed passwords to gain authentication to a website(or if you’re lucky a hashed password may work for ssh!).
hashcat
hashcat is another one of the most popular hash cracking tools. It is renowned for its versatility and speed. Hashcat does not have auto detection for hashtypes, instead it has modes. For example if you were trying to crack an md5 hash the “mode” would be 0, while if you were trying to crack a sha1 hash, the mode would be 100.
A full list of all modes can be found here.
What flag sets the mode.
-m
What flag sets the “attack mode”
-a
What is the attack mode number for Brute-force
3
What is the mode number for SHA3–512
17600
John The Ripper
John The Ripper(jtr) is one of the best hash cracking tools available. It supports numerous formats of hashes and is extremely easy to use, while having a lot of options for customization.
What flag let’s you specify which wordlist to use?
-wordlist
What flag lets you specify which hash format(Ex: MD5,SHA1 etc.) to use?
— format
How do you specify which rule to use?
— rules
SQL Injection
SQL injection is the art of modifying a SQL query so you can get access to the target’s database. This technique is often used to get user’s data such as passwords, emails etc. SQL injection is one of the most common web vulnerabilities, and as such, it is highly worth checking for
Sqlmap is arguably the most popular automated SQL injection tool out there. It checks for various types of injections, and has plenty of customization options.
How do you specify which url to check?
-u
What about which google dork to use?
-g
How do you select(lol) which parameter to use?(Example: in the url http://ex.com?test=1 the parameter would be test.)
-p
What flag sets which database is in the target host’s backend?(Example: If the flag is set to mysql then sqlmap will only test mysql injections).
— dbms
How do you select the level of depth sqlmap should use(Higher = more accurate and more tests in general).
— level
How do you dump the table entries of the database?
— dump
Which flag sets which db to enumerate?
-D
Which flag sets which table to enumerate?
-T
Which flag sets which column to enumerate?
-C
How do you ask sqlmap to try to get an interactive os-shell?
-os-shell
What flag dumps all data from every table
-dump-all
Occasionally you will be unable to use sqlmap. This can be for a variety of reasons, such as a the target has set up a firewall or a request limit. In this case it is worth knowing how to do basic manual SQL Injection, if only to confirm that there is SQL Injection. A list of ways to check for SQL Injection can be found here.
Samba
Most of the pentesting techniques and tools you’ve seen so far can be used on both Windows and Linux. However, one of the things you’ll find most often when pen testing Windows machines is samba, and it is worth making a section dedicated to enumerating it.
Note: Samba is cross platform as well, however this section will primarily be focused on Windows enumeration; some of the techniques you see here still apply to Linux as well.
How do you set the username to authenticate with?
-u
What about the password?
-p
How do you set the host?
-h
What flag runs a command on the server(assuming you have permissions that is)?
-x
How do you specify the share to enumerate?
-s
How do you set which domain to enumerate?
-d
What flag downloads a file?
-download
What about uploading one?
— upload
Given the username “admin”, the password “password”, and the ip “10.10.10.10”, how would you run ipconfig on that machine
smbmap -u “admin” -p “password” -H 10.10.10.10 -x “ipconfig”
smbclient
smbclient allows you to do most of the things you can do with smbmap, and it also offers you and interactive prompt.
How do you specify which domain(workgroup) to use when connecting to the host?
-w
How do you specify the ip address of the host?
-I
How do you run the command “ipconfig” on the target machine?
-c “ipconfig”
How do you specify the username to authenticate with?
-u
How do you specify the password to authenticate with?
-p
What flag is set to tell smbclient to not use a password?
-N
While in the interactive prompt, how would you download the file test, assuming it was in the current directory?
get test
In the interactive prompt, how would you upload your /etc/hosts file
put /etc/hosts
impacket is a collection of extremely useful windows scripts. It is worth mentioning here, as it has many scripts available that use samba to enumerate and even gain shell access to windows machines. All scripts can be found here.
Note: impacket has scripts that use other protocols and services besides samba.
privilege escalation is such a large topic that it would be impossible to do it proper justice in this type of room. However, it is a necessary topic that must be covered, so rather than making a task with questions, I shall provide you all with some resources.
General:
https://github.com/swisskyrepo/PayloadsAllTheThings (A bunch of tools and payloads for every stage of pentesting)
Linux:
https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ (a bit old but still worth looking at)
https://github.com/rebootuser/LinEnum (One of the most popular priv esc scripts)
https://github.com/diego-treitos/linux-smart-enumeration/blob/master/lse.sh (Another popular script)
https://github.com/mzet-/linux-exploit-suggester (A Script that’s dedicated to searching for kernel exploits)
https://gtfobins.github.io (I can not overstate the usefulness of this for priv esc, if a common binary has special permissions, you can use this site to see how to get root perms with it.)
Windows:
https://www.fuzzysecurity.com/tutorials/16.html (Dictates some very useful commands and methods to enumerate the host and gain intel)
https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp (A bit old but still an incredibly useful script)
https://github.com/411Hall/JAWS (A general enumeration script)
