×
PentesterBook
by Daniele Volpe
Penetration Test Methodology
Legal Paper Work
Request for Proposal(RFP)
Proposal to submit
Project Scope
Test Environment
Rules Of Engagement
Announced VS Unannounced
Black Box VS Crystal-Box Test
Contractual Agreements
Report
The Report
Executive Summary
Introduction
Findings
Screenshots
Methodology
Conclusions
Appendices
Consultancy
External Pentest
Network Pentest
Testing Methodologies
Attacker Testing Infrastructur
Build a Lab
Penetration testing from the Cloud
Penetration Testing via SSH(or VPN)
Telesploit
Telesploit Relay
Configure the AWS instance of the Relay)
Configure Relay from the Client
Add authorized_keys to the relay
update
Telesploit Server
Configure Server
Configure from ssh
Telesploit Client
Configure Client
How the connection are forwarded from the client
Recoinnaissance (OSINT: Open Source Information Gathering)
Verify the Scope
Maintain Inventory Gathering)
Spreadsheet (Individual)
Freemind: mindmapping (Individual)
Dradis (Collaborative)
Document Metadata Analysis
FOCA (webspider + search structured data)
New project (example)
extract and analyze metadata from files
Enumeration
Exiftool (structured data in documents)
Tesseract (OCR text in images)
Strings command (unstructured data)
Steghide
Google Dork: find files and directories
Email metadata
Email headers
Delivery Status Notifications
Infrastructure Information Gathering
Whois Lookups
Netcraft
multiple domains for a single IP address
Tool:recon-ng
Marketplace
Database
Modules
whois_miner
scylla
reverse_resolve (meglio dig??)
cache_snoop
GHDB
export the data
Tools
dig
nmap (NSE)
fierce
dnsrecon
dnsenum
dnsmap
spyse
Shodan
exploits
Websites OSINT
Web Presence
Partner and Third Parties
Job Posting
Financial Information
Social Media
Harvesting email and accounts
theharvester
Scylla
Cached and Archivial Sites
Google Dork
Search Diggity
Social Engineering (not always allowed)
Phishing
malicious file with .desktop file vulnerability
Tools
Social Engineering Toolkit (SET)
Credential Stuffing
email stuffing
Enumerating valid accounts
BurpSuite Intruder Sniper
wfuzz
Login Office 365
Login Outlook Web Access (OWA)
GHunt
Scanning and Enumeration
Scan the LAN (ARP packets)
windows
DNS
DNS Scans
DNS Lookup
DNS in the Internal Network
Zone Transfers
FQDN reachabale by querying the internal DNS server
CHAOSNET queries
Solution
DNS reconnaissance tools
Host Discovery in the Internal Network with DNS
Network Sweeping(Host discovery) [-P*]
nmap
ocal Area Network
-PR: nmap default host discovery (ARP)
-PE/-PP: ICMP ping
-PS/-PA: no ping (spot a firewall)
ip neigh: Finding IPv6 targets
Powershell
arp-scan
netdiscover
Network Tracing
Port Scanning (on hosts alive)
nmap [-s*]
SCAN TECHNIQUES
-Pn: no Ping
-sT: TCP Connect Scan
-sS: TCP SYN Scan
-sI: TCP Idle Scan (Red Teaming)
How works Fragmentation
How works Idle Scan
IP ID Sequence Generation algorithms
Idle Scan with hping3
nmap+hping3 (more reliable)
-sA: TCP ACK Scan
-sN/sF/sX: TCP Null, FIN, and Xmas scans
-sM: TCP Maimom Scan [BSD Systems]
-sU: UDP scan
-sO: IP protocol scan
-b : FTP bounce scan
-p53 --source-port53: DNS
WAF identification
nmap Firewall/IDS/IPS evasion
IPv6
-f/--mtu
-D
--source-port [port]
--spoof-mac
--randomize-hosts
-T[0-5]
TTL manipulation (--ttl )
--data-length
hping3
Powershell
masscan
Angry IP scanner
Google Colab (Cloud)
OS Fingerprinting (on hosts alive)
active fingerprinting
nmap
-O & --osscan-guess: OS fingerprinting
-A: Aggressive scan option
NSE
passive fingerprinting
p0f
Service Scanning (hosts alive)
nmap -sV
-sC: common NSE scripts
Complete Scan (-A --osscan-guess --version-all -p-)
Mail Servers
Locate Mail Transfer Agent(MTA)
Sender Policy Framework (SPF)
-O SPF entry
SMTP
Check if a Mail Server is an open relay
Enumerate manually Users on the Server
-O Enumerate Users with Tools
POP3
AutoRecon
default scans commands
Tools
hping3
nmap
-s* options
-P* options
Timing
Nmap Scripting Engine (NSE)
fping
Maltego
Transforms
examples
DNSdumpster
DNSenum
Google Colab (Cloud)
Sniffing/Spoofing/Poisoning
Passive Sniffing
Active Sniffing/Spoofing
MAC Flooding (Switch)
Dsniff
macof (MAC Flooding)
ARP Cache Poisoning (Switch)
Host Poisoning
arpspoof: sniff traffic between hosts
SMB files
Gateway Poisoning
Tool: Dsniff
arpspoof (ARP Poisoning)
ICMP redirect attack
configuration settings Attacker side
Forge ICMP redirect packets
Send forged packet and intercept with wireshark
explanation of the packets
Examine captured packets
Identify an attack
DNS Spoofing (Router)
DHCP Spoofing (Router)
Public Key exchange (Man in the Middle)
Intercept SSL traffic
Sniffing Windows Challenge/Response Authentication
Sniff and extract voice traffic from RTP stream
Sniffing Web Application login
NetNTLM attacks
extract NetNTLMv2 hashes from pcap file and crack
Man-in-the-Middle techniques (IPv4)
exploit Single Sign-On(SSO) implementation of Windows in order to capture NTLM hashes
Capture the Hahes: redirect to Attacker's SMB share using UNC path
Get a Shell: redirect to Attacker's SMB share using UNC path
LLMNR & NetBIOS NS Spoofing/Poisoning (mispelled share queries)
Responder
How setup Lab
How setup LabAttack with Responder listening for misspelled SMB share queries on the local network
WPAD Spoofing/Poisoning
Responder: capture credentials
NTLM/SMB Relay attack
Wireshark Capture
Discover Host with SMB signing disabled
NTLMv1 Relay (Metasploit)
NTLMv2 Relay
Responder + (smbrelayx | ntlmrelayx) --> (Meterpreter | Netcat)
Responder
payload with msfneom
slisten for incoming connection from the Target Server
start the script smbrelayx OR ntlmrelayx
Responder and Ntlmrelayx --> SMB shell
Hot Potato: WPAD Spoofing + NTLM relay attack
Juicy Potato: RPC + NTLM relay
Rotten Potato (see Juicy Potato)
Man-in-the-Middle techniques (ipv6)
NTLM Relay attack (ipv6)
DNS spoofing: setup IPv6 of the attacker as DNS server
2. Exploiting WPAD
Target LDAP Secure Service
Target SMB service (and connection with proxychains)
How Increase security against
mispelled share queries
NTLM relay attacks using SMB
abusing WPAD
stealing of credential hashes easily crackable
Windows XP/7
Windows 7
ipv6 attacks
in & out connections
Password Cracking
Tools
Dsniff
arpspoof (ARP Poisoning)
macof (MAC Flooding)
Ettercap
ARP Poisoning
sniff credentials on an HTTP connection
SSL traffic intercept
Sslstrip
SSL stripping attack
Sslstrip+
MITMf
installation MITMf
Cain (Windows)
ARP Poisoning
LLMNR & NetBIOS NS Spoofing/Poisoning
Cracker
Bettercap
wireshark
interface
coloring rules
configuration
generate example traffic
filter
Display Filters
Capture Filters
http(clear text data)
https(encrypted protocol)
tcpdump
Vulnerability assessment
Automated Scanners
Nessus
Start new scan
Settings
Credentials
Plugins
Report
ICS
Parse data out of Nessus
NSE Vulnerability Scanners
Autorecon NSE scripts
Manual Testing
NFS (ports 111, 2049)
NetBIOS, SMB
-p137,139: NetBIOS
NetBIOS Name Service (UDP:137)
NetBIOS Datagram Service (UDP:138)
NetBIOS Session Service (TCP:139)
-p445: SMB
Windows tools
Windows standard tools
external Windows tools
enum
winfingerprint
dumpsec (NO)
Linux Tools
enum4linux
Samba Suite
nmblookup
smbclient (connect to smb shell)
rpcclient
smbmap.py (check type of access we have to the shares)
nmap
Identify version of Samba
find if a host is null session vulnerable
nbtscan
python-impacket
Vulnerabilities
Username Map Script (CVE-2007-2447)
Configuration issues
Samba Symlink Directory Traversal (configuration issue)
www writable share
BruteForce Username and Password
psexec (metasploit)
Metasploit
SNMP
Linux Tools
Find Community name of Hosts running SNMP
Snmpwalk
syscontact OID
hrSWInstalledName OID
More Information
Snmpset: set new value object
Nmap NSE SNMP
snmp-brute
snmp-win32-services
snmp-win32-users
DNS
DNSSEC: make dns more secure
DNS Cache Snooping
Solutions
DNS Amplification Attack
Check if the DNS is an open resolver
Check Amplification
botnet: which domain and DNS use?
Edit dnsdrdos.c
metasploit module
DNS Cache Poisoning
Fuzzing DNS
Exploitation
Low Hanging Fruits (LHF)
Password Guessing
WARNING: Linux/UNIX Account Lockout
WARNING: Windows Account Lockout
MSSQL database Metasploit exploits
Types of exploits
Client-side Exploits
firefox version 35-36 bug
Adobe Flash Player version: 11&18 bug
Remote(service)-side Exploits
ms08-067
EthernalBlue
Metasploit
How to use metasploit
msfconsole steps
start msfconsole
show modules
search exploits
see code of a module
load exploit
set payload and option
launch the exploit
stop sessions and jobs
example: set up server listening
examples( for now not so useful)
find live hosts with an ARP scan
find port open with a port scan
msfvenom
Metasploit Framework
Metasploit Framework Filesystem
Pry shell to understand ruby commands
meterpreter source code
ClientCore (core) (not a typical extension)
use method
migrate method
stdapi extensions
fs
sys
net
registry
privilege escalation extensions
Modules
Plugins
Tools
Write a custom metasploit module
where put the module
run module
possible errors
AV Evasion
Encoders
Veil Framework
Veil console
example: understand payload generated
example: execute payload on the target
Veil commands
Powershell
Disable AV
Powershell encrypters
SecureString
PowershellCrypter (my version)
PowershellAES (fork)
xencrypt
Powershell Obfuscators
Invoke-CradleCrafter
Invoke-Obfuscation
method SET SCRIPTPATH: obfuscate directly a file on the pc
method SET SCRIPTBLOCK: obfuscate a command
Powershell EncodedCommand
Evasion: download and run file in memory
Evasion: download file to disk
custom SSL certificate
search exploit for Windows
search exploit for Linux
search exploit for Linux/Windows (searchsploit, google)
example of how to delivery the exploitc
Databases of exploits
Buffer Overflow
Security Implementations
Tool: EMET
ASLR
find processes ASLR enabled/disabled
Bypass ASLR Techniques
DEP
Bypassing DEP Techniques
Stack Canary (or Stack cookie)
Bypass Stack Canary Technique
vulnerable functions to Buffer Overflows
finding Buffer Overflows
fuzzer
Steps to conduct a Buffer Overflow (OSCP & eCPPT)
connect with netcat
Spiking
Fuzzing
Fuzzing (example2)
replicate the crash
replicate the crash (with the same amount of characters that caused the crash)
Find the Offset
Overwrite the EIP
Expanding the Space and Obtaining a Safe Padding
Finding Bad Characters
finding bad characters with mona
Not all BadChars are bad
Not all BadChars are Bad (example 2)
Find the right module for JMP ESP
Generating Shellcode and gaining shell
Example 1 (outdated): exploit Buffer Overflow loacally
Find the right offset
Python script (mona.py)
Ruby scripts (pattern_create.rb & pattern_offset.rb)
Overwrite the EIP
Execute Shellcode
Example 2 (outdated): Buffer Overflow service server
example of a vulnerable Server service
check vulnerability: Crash the server with buffer overflow
Find the right offset
script Ruby: Overwrite the EIP & Execute the Shellcode
msfvenom options
Post Exploitation
Privilege Escalation
Windows Privilege Escalation
Tools
Information gathering for privilege escalation
How spawn Administrator Shells
Kernel Exploits
Service Exploits
Insecure Service Permissions (weak folder permissions)
manual
permission of a service
metasploit
Insecure Service Executables (insecure file permissions)
manual
Unquoted Service Paths
manually
Search for Unquoted paths
Check if we have enough privileges
create a new executable and trick the service
SYSTEM reverse shell
Create a new Admin User
possible promblem: windows kill the process
metasploit
Weak Registry Permissions
DLL Hijacking
DLL missing from the system
Process Explorer
Process Monitor
Registry Exploits
AlwaysInstallElevated setting
manually
metasploit
AutoRuns
Passwords
Guess the Password
Windows Account Lockout
Password Guessing Tool: Hydra
pwInspector: trimming passwords
Dump & Crack the Hashes
Registry
Saved Creds
Unattended Installs & Configuration files
manually
metasploit
SAM
Passowrds Dumping Tools
Remotely
hashdump (metasploit)
smart_hashdump (metasploit)
mimikatz (meterpreter)
mimikatz (Windows)
hashes from SAM file
hashes from LSASS process
pypykatz (python version of mimikatz)
secretsdump.py (python)
Locally(phisical access)
Pass the Hashes
WCE (Windows Credentials Editor)
psexec
pth-winexe (NTLM hash)
crackmapexec: test credentials across the network
Scheduled Tasks
append a call to a reverse shell executable to the end of the scheduled script
Insecure GUI Apps (Citrix Method)
Startup Apps
Installed Applications
Access Tokens (UAC)
Check UAC
getsystem (meterpreter)
bypassuac (meterpreter)
bypassuac_vbs (meterpreter)
AutoElevate UAC bypass (Powershell)
UACMe Tool
how create connection between attacker and victim
Download and Compile
how compile from the Source already Downloaded
Empire framework (bypassuac modules)
privesc/bypassuac _eventvwr
privesc/ask
Metasploit executables exploits
User Privileges
RDP (Remote Desktop Protocol) -p 3389
Incognito (meterpreter)
Getting SYSTEM from Local Admin
Vulnerabilities of Continuous Integration (CI) Tools
Jenkins
Brute Force
Eecute code in the Script Console
Reverse Shell
Brute Force Execute code with Configure access
List Common Exploits
Upgrade to meterpreter shell
Download and execute file
Resolve Errors
DownloadString
General errors of one liners
One-Liners
netcat for windows (from zip file)
BloodHound (from zip file)
mimikatz
Rebeus
Procmoon
WinPEAS
Process Explorer
Strings
Python HTTP server attacker
Active Directory(Windows) Privilege Escalation
How work Authentification in a Windows Network
LANMAN Challenge/Response
Weaknesses of the protocol
NTLMv1 Challenge/Response
Weaknesses of the protocol
NTLMv2 Challenge/Response
Considerations about the security of this protocol
Kerberos
Authentication flow
Wireshark Packets
decrypt packets
Kerberos Principals
Encryption
Privilege Attribute Certificate (PAC)
Windows Authentication attacks
Kerberos
who i am? (information gathering)
Kerberoasting
Orginal method of Tim Medin(Old School)
Enumerate domain accounts with SPNs set
Request ServiceTicket
Dumping and Extracting ServiceTickets
Crack the Ticket
Use Password to obtain shell of the DC
Empire Powershell script
Rebeus
Crack with Hashcat
Linux Impacket GetUserSPNs.py
Golden Ticket
Obtain Krbtgt secret key
Forge Golden Ticket
Cached Golden Tickets
Silver Ticket
Obtain Computer Accounts secret key
Forge Silver Ticket
CIFS service
HOST service
Schedule Reverse Powershell(option 1)
Schedule Reverse Powershell(option 2)
WMI Service
execute code on the remote machine
Skeleton Key
Inject a Skeleton Key
inject a Skeleton Key by restarting the DC
Powershell Session on a Target machine of the domain
BONUS: change the skeleton key
dump NTDS.dit file stored on the Domain Controller
vssadmin (built-in Powershell 3.0+)
vssOwn (Powershell 2.0+)
Nishang framework: Copy-VSS.ps1 (Powershell 2.0+)
recover ntds.dit from another Windows machine
recover ntds.dit with an attacker Linux machine
extract hashes from ntds.dit
DCSync: Impersonate a Domain Controller
DCShadow
Action!
Man-in-the-Middle Attack: Delegate Impesonation (ntlmrelayx --delegate-access)
DNS spoofing: setup IPv6 of the attacker as DNS server
Delegate Impersonation
Defenses against Kerberos Attacks
Group Managed Service Accounts (gMSA)
Configure gMSA
Disable RC4 encryption
Perform PAC Validation
Protected Users Group
Mimikatz on Protected and Non-Protected Users
enable Credential Guard
Finding Passwords in SYSVOL and Exploiting Group Policy Preferences
How to defend against it
CVEs
PrintNightmare (CVE-2021-34527)
BloodHound
Installation of BloodHound and Neo4j
Data Collection
Invoke-BloodHound
Upload Data Collected
Queries with BloodHound
Find all Domain Admins
Find Shortest Path to Domain Admins
Find Principals with DCSync Rights
Find Specific paths
Linux Privilege Escalation
Permissions in Linux
SUID & SGID files
Manual Recon
System
Users
Networking Information
Applications and Services
File systems
Files
Interesting files
passwords hunting
Red Teaming - hiding
Automated Recon with Tools
LinEnum.sh
commands
linpeas.sh
Linux Smart Enumeration (lse.sh)
commands
linux-exploit-suggester.sh
metasploit
BeRoot
linuxprivchecker.py
Unix-privesc-check v1.4
Spawn SUID Root Shells
SUID Text Editors
SUID Shells
Custom executable
Spawn a reverse shell
Kernel Exploits
compile and execute the exploit
Service Exploits
mysqld
Precompiled Shared Library
raptor_udf2.c
Weak File Permissions
/etc/shadow
/etc/passwd
backups
/.ssh/root_key
Sudo
shell escape (awk example)
other shell escapes
Abusing intended functionality
other executables that we can abuse of
environment variables
LD_PRELOAD
LD_LIBRARY_PATH
Cron Jobs
File Permission misconfiguration
PATH environment variable
Wildcards
SUID/SGID Executables
Abuse of functionality of executables
Known Exploits
ngnix
Shared Object Injection (missing library)
Shared Object Injection (RPATH, RUNPATH)
PATH Environment Variable
Abusing Shell Features (define user functions)
Abusing Shell Features(Debugging mode)
Capabilities
Password & Keys
History Files
Config Files
SSH keys
generate SSH keys
Guessing: Linux/UNIX Account Lockout
shadow & passwd
Dump credentials
mimipenguin
swap_digger
Password Spray (Reverse Brute-Force attack)
NFS root squashing(ports 111,2049)
Exploit of NFS root squashing
Portmap(rpcbind) ports 111 or 32771
Dockers (Unix Socket Exploitation)
Lateral movement
SSH Hijacking
Stealing SSH credentials
Samba dump credentials
Full TTY
meterpreter
compile an exploit
Remediations & Mitigation
Meterpreter
sessions
friendlier terminal prompt
information gathering
Windows
privilege escalation
Dumping password database
Explore Victim Shell
Uploading and Downloading
shells
migrate PID of the payload (hide/stable conncection & session died problem)
scripts Post Exploitation
Map Internal Network
Sniffing
kiwi
clear our trace from the machine
commands
search
edit
execute
windows meterpreter modules
Programs
Firefox
General
Maintain Access
migrate process
Backdoor
enable remote desktop
How enable rdesktop directly from Windows
Remote Desktop - rdesktop - RDP
allow Windows user connection through RDP
Locally from Windows
Remotely from the Attacker machine (shell cmd)
Remotely from the attacker machine(meterpreter)
connect with rdesktop
backdoor with registry key
backdoor with metasploit
backdoor with xinetd daemon (Linux)
backdoor with Systemd daemon (Linux)
New Users
remote commands (Windows)
useful commands
Reverse shells
PowerShell(.ps1) Reverse Shells
php reverse shells
Metasploit shells Windows
OpenSSL Reverse Shell