×

PentesterBook

by Daniele Volpe


Penetration Test Methodology
Legal Paper Work
Request for Proposal(RFP) Proposal to submit
Project Scope
Test Environment
Rules Of Engagement
Announced VS Unannounced Black Box VS Crystal-Box Test
Contractual Agreements
Report
The Report
Executive Summary Introduction
Findings
Screenshots
Methodology
Conclusions
Appendices
Consultancy
External Pentest
Network Pentest
Testing Methodologies
Attacker Testing Infrastructur
Build a Lab Penetration testing from the Cloud
Penetration Testing via SSH(or VPN)
Telesploit
Telesploit Relay
Configure the AWS instance of the Relay) Configure Relay from the Client Add authorized_keys to the relay update
Telesploit Server
Configure Server
Configure from ssh
Telesploit Client
Configure Client How the connection are forwarded from the client
Recoinnaissance (OSINT: Open Source Information Gathering)
Verify the Scope
Maintain Inventory Gathering)
Spreadsheet (Individual) Freemind: mindmapping (Individual) Dradis (Collaborative)
Document Metadata Analysis
FOCA (webspider + search structured data)
New project (example) extract and analyze metadata from files Enumeration
Exiftool (structured data in documents) Tesseract (OCR text in images) Strings command (unstructured data) Steghide Google Dork: find files and directories
Email metadata
Email headers Delivery Status Notifications
Infrastructure Information Gathering
Whois Lookups
Netcraft multiple domains for a single IP address
Tool:recon-ng
Marketplace Database
Modules
whois_miner scylla reverse_resolve (meglio dig??) cache_snoop GHDB
export the data
Tools
dig nmap (NSE) fierce dnsrecon dnsenum dnsmap spyse
Shodan
exploits
Websites OSINT
Web Presence Partner and Third Parties Job Posting Financial Information Social Media
Harvesting email and accounts
theharvester Scylla
Cached and Archivial Sites
Google Dork
Search Diggity
Social Engineering (not always allowed)
Phishing
malicious file with .desktop file vulnerability
Tools
Social Engineering Toolkit (SET)
Credential Stuffing
email stuffing
Enumerating valid accounts
BurpSuite Intruder Sniper wfuzz Login Office 365 Login Outlook Web Access (OWA)
GHunt
Scanning and Enumeration
Scan the LAN (ARP packets)
windows
DNS
DNS Scans DNS Lookup DNS in the Internal Network Zone Transfers FQDN reachabale by querying the internal DNS server
CHAOSNET queries
Solution
DNS reconnaissance tools Host Discovery in the Internal Network with DNS
Network Sweeping(Host discovery) [-P*]
nmap
ocal Area Network -PR: nmap default host discovery (ARP) -PE/-PP: ICMP ping -PS/-PA: no ping (spot a firewall)
ip neigh: Finding IPv6 targets Powershell arp-scan netdiscover
Network Tracing
Port Scanning (on hosts alive)
nmap [-s*]
SCAN TECHNIQUES
-Pn: no Ping -sT: TCP Connect Scan -sS: TCP SYN Scan
-sI: TCP Idle Scan (Red Teaming)
How works Fragmentation How works Idle Scan IP ID Sequence Generation algorithms Idle Scan with hping3 nmap+hping3 (more reliable)
-sA: TCP ACK Scan -sN/sF/sX: TCP Null, FIN, and Xmas scans -sM: TCP Maimom Scan [BSD Systems] -sU: UDP scan -sO: IP protocol scan -b : FTP bounce scan -p53 --source-port53: DNS
WAF identification
nmap Firewall/IDS/IPS evasion
IPv6 -f/--mtu -D --source-port [port] --spoof-mac --randomize-hosts -T[0-5] TTL manipulation (--ttl ) --data-length
hping3 Powershell masscan Angry IP scanner Google Colab (Cloud)
OS Fingerprinting (on hosts alive)
active fingerprinting
nmap
-O & --osscan-guess: OS fingerprinting -A: Aggressive scan option NSE
passive fingerprinting
p0f
Service Scanning (hosts alive)
nmap -sV -sC: common NSE scripts
Complete Scan (-A --osscan-guess --version-all -p-)
Mail Servers
Locate Mail Transfer Agent(MTA) Sender Policy Framework (SPF)
-O SPF entry
SMTP
Check if a Mail Server is an open relay
Enumerate manually Users on the Server -O Enumerate Users with Tools
POP3
AutoRecon
default scans commands
Tools
hping3 nmap
-s* options -P* options Timing Nmap Scripting Engine (NSE)
fping
Maltego
Transforms
examples
DNSdumpster DNSenum Google Colab (Cloud)
Sniffing/Spoofing/Poisoning
Passive Sniffing
Active Sniffing/Spoofing
MAC Flooding (Switch)
Dsniff
macof (MAC Flooding)
ARP Cache Poisoning (Switch)
Host Poisoning
arpspoof: sniff traffic between hosts
SMB files
Gateway Poisoning
Tool: Dsniff
arpspoof (ARP Poisoning)
ICMP redirect attack
configuration settings Attacker side Forge ICMP redirect packets
Send forged packet and intercept with wireshark
explanation of the packets
Examine captured packets Identify an attack
DNS Spoofing (Router) DHCP Spoofing (Router) Public Key exchange (Man in the Middle) Intercept SSL traffic Sniffing Windows Challenge/Response Authentication Sniff and extract voice traffic from RTP stream Sniffing Web Application login
NetNTLM attacks
extract NetNTLMv2 hashes from pcap file and crack
Man-in-the-Middle techniques (IPv4)
exploit Single Sign-On(SSO) implementation of Windows in order to capture NTLM hashes
Capture the Hahes: redirect to Attacker's SMB share using UNC path Get a Shell: redirect to Attacker's SMB share using UNC path LLMNR & NetBIOS NS Spoofing/Poisoning (mispelled share queries)
Responder
How setup Lab How setup LabAttack with Responder listening for misspelled SMB share queries on the local network
WPAD Spoofing/Poisoning
Responder: capture credentials
NTLM/SMB Relay attack
Wireshark Capture Discover Host with SMB signing disabled NTLMv1 Relay (Metasploit)
NTLMv2 Relay
Responder + (smbrelayx | ntlmrelayx) --> (Meterpreter | Netcat)
Responder payload with msfneom slisten for incoming connection from the Target Server start the script smbrelayx OR ntlmrelayx
Responder and Ntlmrelayx --> SMB shell
Hot Potato: WPAD Spoofing + NTLM relay attack
Juicy Potato: RPC + NTLM relay
Rotten Potato (see Juicy Potato)
Man-in-the-Middle techniques (ipv6)
NTLM Relay attack (ipv6)
DNS spoofing: setup IPv6 of the attacker as DNS server 2. Exploiting WPAD
Target LDAP Secure Service Target SMB service (and connection with proxychains)
How Increase security against
mispelled share queries NTLM relay attacks using SMB abusing WPAD stealing of credential hashes easily crackable
Windows XP/7 Windows 7
ipv6 attacks
in & out connections
Password Cracking
Tools
Dsniff
arpspoof (ARP Poisoning) macof (MAC Flooding)
Ettercap
ARP Poisoning
sniff credentials on an HTTP connection
SSL traffic intercept
Sslstrip
SSL stripping attack
Sslstrip+
MITMf
installation MITMf
Cain (Windows)
ARP Poisoning LLMNR & NetBIOS NS Spoofing/Poisoning Cracker
Bettercap wireshark
interface
coloring rules
configuration generate example traffic filter
Display Filters Capture Filters
http(clear text data) https(encrypted protocol)
tcpdump
Vulnerability assessment
Automated Scanners
Nessus
Start new scan Settings Credentials Plugins Report ICS Parse data out of Nessus
NSE Vulnerability Scanners Autorecon NSE scripts
Manual Testing
NFS (ports 111, 2049) NetBIOS, SMB
-p137,139: NetBIOS
NetBIOS Name Service (UDP:137) NetBIOS Datagram Service (UDP:138) NetBIOS Session Service (TCP:139)
-p445: SMB Windows tools
Windows standard tools external Windows tools
enum winfingerprint dumpsec (NO)
Linux Tools
enum4linux Samba Suite
nmblookup smbclient (connect to smb shell) rpcclient
smbmap.py (check type of access we have to the shares) nmap
Identify version of Samba find if a host is null session vulnerable
nbtscan python-impacket
Vulnerabilities
Username Map Script (CVE-2007-2447)
Configuration issues
Samba Symlink Directory Traversal (configuration issue) www writable share
BruteForce Username and Password psexec (metasploit) Metasploit
SNMP
Linux Tools
Find Community name of Hosts running SNMP
Snmpwalk
syscontact OID hrSWInstalledName OID
More Information Snmpset: set new value object Nmap NSE SNMP
snmp-brute snmp-win32-services snmp-win32-users
DNS
DNSSEC: make dns more secure DNS Cache Snooping
Solutions
DNS Amplification Attack
Check if the DNS is an open resolver Check Amplification botnet: which domain and DNS use?
Edit dnsdrdos.c metasploit module
DNS Cache Poisoning Fuzzing DNS
Exploitation
Low Hanging Fruits (LHF)
Password Guessing
WARNING: Linux/UNIX Account Lockout WARNING: Windows Account Lockout
MSSQL database Metasploit exploits
Types of exploits
Client-side Exploits
firefox version 35-36 bug Adobe Flash Player version: 11&18 bug
Remote(service)-side Exploits
ms08-067 EthernalBlue
Metasploit
How to use metasploit
msfconsole steps
start msfconsole
show modules
search exploits see code of a module load exploit set payload and option launch the exploit stop sessions and jobs example: set up server listening examples( for now not so useful)
find live hosts with an ARP scan find port open with a port scan
msfvenom
Metasploit Framework
Metasploit Framework Filesystem Pry shell to understand ruby commands meterpreter source code
ClientCore (core) (not a typical extension)
use method migrate method
stdapi extensions
fs sys net registry
privilege escalation extensions
Modules Plugins Tools
Write a custom metasploit module
where put the module run module possible errors
AV Evasion
Encoders
Veil Framework
Veil console
example: understand payload generated example: execute payload on the target
Veil commands
Powershell
Disable AV Powershell encrypters
SecureString PowershellCrypter (my version) PowershellAES (fork) xencrypt
Powershell Obfuscators
Invoke-CradleCrafter Invoke-Obfuscation
method SET SCRIPTPATH: obfuscate directly a file on the pc method SET SCRIPTBLOCK: obfuscate a command
Powershell EncodedCommand
Evasion: download and run file in memory Evasion: download file to disk
custom SSL certificate
search exploit for Windows search exploit for Linux search exploit for Linux/Windows (searchsploit, google)
example of how to delivery the exploitc
Databases of exploits Buffer Overflow
Security Implementations
Tool: EMET ASLR
find processes ASLR enabled/disabled Bypass ASLR Techniques
DEP
Bypassing DEP Techniques
Stack Canary (or Stack cookie)
Bypass Stack Canary Technique
vulnerable functions to Buffer Overflows finding Buffer Overflows
fuzzer
Steps to conduct a Buffer Overflow (OSCP & eCPPT)
connect with netcat Spiking Fuzzing
Fuzzing (example2)
replicate the crash
replicate the crash (with the same amount of characters that caused the crash)
Find the Offset Overwrite the EIP
Expanding the Space and Obtaining a Safe Padding
Finding Bad Characters
finding bad characters with mona Not all BadChars are bad Not all BadChars are Bad (example 2)
Find the right module for JMP ESP Generating Shellcode and gaining shell
Example 1 (outdated): exploit Buffer Overflow loacally
Find the right offset
Python script (mona.py) Ruby scripts (pattern_create.rb & pattern_offset.rb)
Overwrite the EIP Execute Shellcode
Example 2 (outdated): Buffer Overflow service server
example of a vulnerable Server service check vulnerability: Crash the server with buffer overflow Find the right offset script Ruby: Overwrite the EIP & Execute the Shellcode
msfvenom options
Post Exploitation
Privilege Escalation
Windows Privilege Escalation
Tools Information gathering for privilege escalation How spawn Administrator Shells Kernel Exploits Service Exploits
Insecure Service Permissions (weak folder permissions)
manual
permission of a service
metasploit
Insecure Service Executables (insecure file permissions)
manual
Unquoted Service Paths
manually
Search for Unquoted paths Check if we have enough privileges create a new executable and trick the service
SYSTEM reverse shell Create a new Admin User
possible promblem: windows kill the process
metasploit
Weak Registry Permissions DLL Hijacking
DLL missing from the system
Process Explorer Process Monitor
Registry Exploits
AlwaysInstallElevated setting
manually metasploit
AutoRuns
Passwords
Guess the Password
Windows Account Lockout Password Guessing Tool: Hydra
pwInspector: trimming passwords
Dump & Crack the Hashes
Registry Saved Creds Unattended Installs & Configuration files
manually metasploit
SAM Passowrds Dumping Tools
Remotely
hashdump (metasploit) smart_hashdump (metasploit) mimikatz (meterpreter) mimikatz (Windows)
hashes from SAM file hashes from LSASS process
pypykatz (python version of mimikatz) secretsdump.py (python)
Locally(phisical access)
Pass the Hashes
WCE (Windows Credentials Editor) psexec pth-winexe (NTLM hash) crackmapexec: test credentials across the network
Scheduled Tasks
append a call to a reverse shell executable to the end of the scheduled script
Insecure GUI Apps (Citrix Method) Startup Apps Installed Applications Access Tokens (UAC)
Check UAC getsystem (meterpreter) bypassuac (meterpreter) bypassuac_vbs (meterpreter) AutoElevate UAC bypass (Powershell) UACMe Tool
how create connection between attacker and victim Download and Compile how compile from the Source already Downloaded
Empire framework (bypassuac modules)
privesc/bypassuac _eventvwr privesc/ask
Metasploit executables exploits
User Privileges RDP (Remote Desktop Protocol) -p 3389 Incognito (meterpreter) Getting SYSTEM from Local Admin Vulnerabilities of Continuous Integration (CI) Tools
Jenkins
Brute Force Eecute code in the Script Console
Reverse Shell
Brute Force Execute code with Configure access
List Common Exploits Upgrade to meterpreter shell Download and execute file
Resolve Errors
DownloadString General errors of one liners
One-Liners
netcat for windows (from zip file) BloodHound (from zip file) mimikatz Rebeus Procmoon WinPEAS Process Explorer Strings
Python HTTP server attacker
Active Directory(Windows) Privilege Escalation
How work Authentification in a Windows Network
LANMAN Challenge/Response
Weaknesses of the protocol
NTLMv1 Challenge/Response
Weaknesses of the protocol
NTLMv2 Challenge/Response
Considerations about the security of this protocol
Kerberos
Authentication flow
Wireshark Packets
decrypt packets
Kerberos Principals Encryption Privilege Attribute Certificate (PAC)
Windows Authentication attacks
Kerberos
who i am? (information gathering) Kerberoasting
Orginal method of Tim Medin(Old School)
Enumerate domain accounts with SPNs set Request ServiceTicket Dumping and Extracting ServiceTickets Crack the Ticket Use Password to obtain shell of the DC
Empire Powershell script Rebeus
Crack with Hashcat
Linux Impacket GetUserSPNs.py
Golden Ticket
Obtain Krbtgt secret key Forge Golden Ticket Cached Golden Tickets
Silver Ticket
Obtain Computer Accounts secret key Forge Silver Ticket
CIFS service HOST service
Schedule Reverse Powershell(option 1) Schedule Reverse Powershell(option 2)
WMI Service
execute code on the remote machine
Skeleton Key
Inject a Skeleton Key
inject a Skeleton Key by restarting the DC
Powershell Session on a Target machine of the domain BONUS: change the skeleton key
dump NTDS.dit file stored on the Domain Controller
vssadmin (built-in Powershell 3.0+)
vssOwn (Powershell 2.0+) Nishang framework: Copy-VSS.ps1 (Powershell 2.0+)
recover ntds.dit from another Windows machine recover ntds.dit with an attacker Linux machine extract hashes from ntds.dit
DCSync: Impersonate a Domain Controller DCShadow
Action!
Man-in-the-Middle Attack: Delegate Impesonation (ntlmrelayx --delegate-access)
DNS spoofing: setup IPv6 of the attacker as DNS server Delegate Impersonation
Defenses against Kerberos Attacks
Group Managed Service Accounts (gMSA)
Configure gMSA
Disable RC4 encryption Perform PAC Validation Protected Users Group
Mimikatz on Protected and Non-Protected Users
enable Credential Guard
Finding Passwords in SYSVOL and Exploiting Group Policy Preferences
How to defend against it
CVEs
PrintNightmare (CVE-2021-34527)
BloodHound
Installation of BloodHound and Neo4j Data Collection
Invoke-BloodHound Upload Data Collected
Queries with BloodHound
Find all Domain Admins Find Shortest Path to Domain Admins Find Principals with DCSync Rights Find Specific paths
Linux Privilege Escalation
Permissions in Linux
SUID & SGID files
Manual Recon
System Users Networking Information Applications and Services File systems Files
Interesting files
passwords hunting
Red Teaming - hiding Automated Recon with Tools
LinEnum.sh
commands
linpeas.sh Linux Smart Enumeration (lse.sh)
commands
linux-exploit-suggester.sh metasploit BeRoot linuxprivchecker.py Unix-privesc-check v1.4
Spawn SUID Root Shells
SUID Text Editors SUID Shells
Custom executable Spawn a reverse shell
Kernel Exploits
compile and execute the exploit
Service Exploits
mysqld
Precompiled Shared Library raptor_udf2.c
Weak File Permissions
/etc/shadow /etc/passwd backups
/.ssh/root_key
Sudo
shell escape (awk example)
other shell escapes
Abusing intended functionality
other executables that we can abuse of
environment variables
LD_PRELOAD LD_LIBRARY_PATH
Cron Jobs
File Permission misconfiguration PATH environment variable Wildcards
SUID/SGID Executables
Abuse of functionality of executables Known Exploits
ngnix
Shared Object Injection (missing library) Shared Object Injection (RPATH, RUNPATH) PATH Environment Variable Abusing Shell Features (define user functions) Abusing Shell Features(Debugging mode) Capabilities
Password & Keys
History Files Config Files SSH keys
generate SSH keys
Guessing: Linux/UNIX Account Lockout shadow & passwd Dump credentials
mimipenguin swap_digger
Password Spray (Reverse Brute-Force attack)
NFS root squashing(ports 111,2049)
Exploit of NFS root squashing Portmap(rpcbind) ports 111 or 32771
Dockers (Unix Socket Exploitation) Lateral movement
SSH Hijacking Stealing SSH credentials Samba dump credentials
Full TTY meterpreter compile an exploit Remediations & Mitigation
Meterpreter
sessions friendlier terminal prompt information gathering
Windows
privilege escalation Dumping password database Explore Victim Shell Uploading and Downloading shells migrate PID of the payload (hide/stable conncection & session died problem) scripts Post Exploitation Map Internal Network
Sniffing
kiwi clear our trace from the machine commands
search edit execute
windows meterpreter modules Programs
Firefox
General
Maintain Access
migrate process Backdoor
enable remote desktop
How enable rdesktop directly from Windows
Remote Desktop - rdesktop - RDP
allow Windows user connection through RDP
Locally from Windows Remotely from the Attacker machine (shell cmd) Remotely from the attacker machine(meterpreter)
connect with rdesktop
backdoor with registry key backdoor with metasploit backdoor with xinetd daemon (Linux) backdoor with Systemd daemon (Linux)
New Users remote commands (Windows)
useful commands
Reverse shells
PowerShell(.ps1) Reverse Shells php reverse shells Metasploit shells Windows OpenSSL Reverse Shell
Data Harvesting (aka Pillaging)
Role of the machine in the network domain & domain controllers enumerate users & groups shares Networking commands System commands
metasploit-meterpreter
search (for file)
Windows
User Interface commands
screenshot keylogger
metasploit
keyscan_start (script) keylog_recorder (module) lockout_keylogger
C++ code
client socket socket server(with netcat))
Applications credentials
metasploit
enumerate applications credentials stored in applications
Tools
SessionGopher WebBrowserPassView
Firefox credentials
meterpreter scripts (all-in-one)
scraper winenum
Other commands
Data Exfiltration
Exfiltration over TCP Socket with EBCDIC and Base64 Exfiltration over SSH Exfiltration over HTTPS via POST Reques outbound connectivity
egress-framework nmap (pivoting) check software preinstalled
check browser GUI from the Target
DNS tunneling Data Exfiltration
PacketWhisper
exfiltrate file decrypt exfiltrated file
Iodine
Mapping the Internal Network
Tools (route, traceroute, ping ...) Static Binaries Cache (ARP, netstat, ...) Check fo DNS Servers (ipconfig, nmcli, ...) History+Logs Network Configuration Settings
Pivoting
Tunnelling/Proxying
Dynamic Port Forwarding
Metasploit Dynamic Port Forwarding
nmap considerations exploit through a Pivot host Double Pivoting
Secure Sockets Funnelling (SSF) ssh Dynamic Port Forwarding
Pivoting an Exploit trhough an existing meterpreter session
Delete, print or flush the routes
Port Forwarding
Local Port Forwarding
Local Port Forwarding (meterpreter)
Local Port Forwarding: target a service running on the TargetSystem Reverse Port Forwarding: target a service running on the TargetSystem
Linux target (ssh) Windows target (plink.exe)
Local/Reverse Port Forwarding with ssh
VPN pivoting Empire Tool (post exploitation framework)
Listeners
setup SSL
Stagers Agents
rename name agent kill Agent
Modules
management
psinject
privesc: Privilege Escalation
powerup/allchecks
credentials
powerdump* /mimikatz/logonpasswords*
lateral_movement
invoke_smbexec
situational_awareness
/network/portscan
Switching between Empire and Metasploit
switch from Empire to Metasploit switch from Metasploit to Empire
Password Cracking Tools
Indentify Encoding and Hashing algorithms
Magic Hashes (0e......)
Jhon the Ripper (CPU)
Easy use Specify Hash Type Types of attacks
dictionary attack
LANMANN --> NT
brute force attack
Configuration File (john.conf) Cracked passwords (john.pot) John current status (john.rec) Benchmark Distribuited Cracking
Ophcrack (CPU)
Rainbow Tables
Hashcat (CPU-GPU)
Easy use Specifying Hash Type Types of attacks
dictionary attack
Rule-based attack
rules
brute force attack
Mask Attack
hashcat mask (.hcmask) Cracked passwords (hashcat.potfile) Hashcat current status (.restore) Benchmark
RainbowCrack (GPU) Penglab & Google Colab (Cloud)
openssl to generate hashed password benchmark NTLMv1 crack
Online tools Metasploit Improving speed of cracking Network Authentification cracking
Hydra
http-post-form ssh smb (TCP:139,445) telnet ftp
service: ftp
Patator
ssh ftp telnet
Wordlists
Covering Tracks
UNIX
Hiding files Log editing Accounts editing
Windows
Hiding Files in NTFS Log editing
Network
ICMP Tunnels Covert Channel in TCP and Ip Headers
Anon
Browsing Anonymously
HTTP Proxies
Flow of requests Check my IP Address Check for real anonymous Proxies
visit a site that we own and verify the visitor logs Use Anonymity testing site
TOR Network
Flow of requests
Tunneling
SSH
Local Port Forwarding
WebApp Pentest
Testing Methodologies Security Testing Methods web application basics
HTTP(S) protocol
HTTPS protocol
HTTPS: how it works
openssl burpsuite
HTTP Requests HTTP Responses
status codes
Tokens to mantain a session state
Cookies (Set-Cookie & Cookie headers)
Session Cookies examination of cookies with Firefox
URI parameters Hidden Form Fields
Authentication
Basic Authentication
Failed Authentication (example) Successfull Authentication (example)
Digest Authentication
Failed Authentication (example) Successfull Authentication (example) Crack HTTP Digest passwords captured from PCAPs
Forms-Based Authentication
Successfull Authentication (example)
Document Object Model (DOM)
Built-in objects (with Properties and Methods)
HTTP
netcat
simulate connection client-server
burpsuite
Same Origin Policy(SOP)
Exceptions to SOP
API
REST APIs and HTTP methods
OPTIONS GET POST HEAD PUT DELETE TRACE
Remote Procedure Call (RPC) Simple Object Access Protocol (SOAP) GraphQL API
BurpSuite
Show only requests with parameters method interchange
HTML Tools
BurpSuite
configuration Target Scope Proxy Intruder
type of attacks
Repeater Sequencer Decoder Comparer Extender Engagement Tools (Pro version)
Foxy Proxy ZAP (OWASP Zed Attack Proxy)
configure intercept
Reconnaissance (Information Gathering)
HTTPS Testing: Versions and Cipher Suites Server Profiling
Server Version: manual fingerprinting FQDN host (SSL cert)
Identifying Web Technologies Subdomain Enumeration
Wordlists METHODOLOGY
Automating Enumeration
reconftw (software all in one) subfinder assetfinder (reccommended by Heath Adams) amass Findomain wfuzz (bruteforce) Certificate Transparency reports (method)
Firefox browser
httpprobe waybackurls (WayBack machine) GoWitness Zone Transfers Burpsuite with payloads sublist3r (OSINT) spyse recon-ng netcraft
Spidering (aka Crawling)
ZAP BurpSuite wget
Analyzing Spidering Results
interesting variables
Enumeration of Files and Directories
dirsearch feroxBuster (used also by autorecon) extract parameters from php files gobuster Powershell dirb
use in conjunction with Burpsuite
authentication
OWASP DirBuster
example
ZAP with Dirbuster lists Wordlistss
Forced Browsing Review Unreferenced Files for Sensitive Information
Directory Listing misconfiguration
Username Harvesting
Side-Channel Attacks
Attack by Fuzzing (example)
Python Script
Google Dork: find vulnerable systems
Tool: SearchDiggity
Permitted HTTP Verbs Bypass Web Application Firewall (WAF)
WAF Detection & Fingerprinting Enumerate virtual hosts on the given IP/hostname
Basic Recon Mail Headers DNS history XML-RPC Pingback (Wordpress) Virtual Hosts
Check which of those IP have a Web Server enabled Check if domain is configured on one of the IP found
Scanning (& Footprinting)
Port Scanner Server Configuration
Test HTTP Methods Default Pages
Enumeration endpoints from Javascript files
scrape Javascript files from page source code tools to be tested
Enumerate parameters (fuzzing)
Arjun
examples
wfuzz
Vulnerability assessment
Common Vulnerabilities
Apache Tomcat
Deploy a Webshell on the Target
precompiled jsp Webshell Build webshell with jsp build webshell with msfvenom
SMB www writable share Shellshock
Check Vulnerability Exploit
Heartbleed (OpenSSL) Java RMI registry (service: GNU Classpath grmiregistry port:1099) Java Deserialization
Automated Scanners
wpscan (wordpress)
Test Wordpress website locally version of WordPress Plugins and Themes
nikto Burp Scanner
Scope Configuration Scan Configuration Concurrent Scans & Resource Pool Add to Task Results
Confidence Levels Retesting and Remediation Verification
Metasploit
Continue from previous Scans (db_import) WMAP
KnoXSS (by BruteLogic)
Fuzzing variables with payloads
Fuzzing payloads ZAP fuzzer Burp Intuder
Form-based authentication Fuzzing (example)
Exploitation
Server-side
SQL injections(SQLi)
Identify Database Type Find Injections Points Visibility of SQLi
In-Band/Inline/UNION based SQLi
UNION SQL injection
Exploit manually
know numbers of colums Identify Field Types
Exploit with Sqlmap Examples of queries (mysql)
Always True contion 'OR': extract all entries in the table Bypass Login
Error-Based SQLi
MSSQL error-based injections exploit MySQL error-based injection exploits PostgreSQL error-based injection exploits
Blind SQLi: Equivalent String Injections Blind SQLi: Boolean/Binary Based SQL injection
Blind Data Exfiltration manually
table_name current user
Blind Data Exfiltration with Tolls
scripts sqlmap
Blind SQLi: Blind Timing Blind SQLi: Out-of-Band SQLi
Methods SQLi
DB Fingerprinting information_schema
MySQL MS SQL Server Oracle
Stacked Queries Exploitation DMBS server machine
MySQL+ MS SQL Server
save the results in a temporary table
MySQL
Read file Upload file Execute commands
SQLi Tools
sqlmap
Initial Targeting Auth/Sessions/Proxies HTTP Headers Inforation Gathering DB Enumeration
Fine tuning the Payloads
DB Data Exfiltration Post Exploitation sqlmap + Proxy(ZAP) Metasploit Integration
Metasploit Integration
  • BBQSQL wfuzz
    • SQLi Cheat Sheets wordlists Mitigations
    Authentication
    Vulnerabilities in password-based login
    Brute-force attacks
    Username enumeration via different responses Username enumeration via subtly different responses Username enumeration via response timing
    Flawed brute-force protection
    Broken brute-force protection, IP block Username enumeration via Account locking
    User rate limiting
    Bypass Rate Limiting Broken brute-force protection, multiple credentials per request (JSON)
    HTTP Basic Authentication
    Vulnerabilities in multi-factor authentication
    Bypassing two-factor authentication 2FA broken logic: choose to who send the 2FA code
    Directory(path) Traversal / File Inclusion
    How find possible vulnerable path Vulnerabilities (Local File Inclusion)
    absolute path bypass nested traversal sequences bypass encodings bypass
    Encoding (evasion technique) cgi-bin folder bypass (CVE-2021-41773)
    Validation of start of path bypass NULL byte to terminate file path
    Remote File Inclusion
    metasploit module
    Tools Mitigation
    nested traversal sequences bypass mitigation
    Wordlists
    CRLF(Carriage Return Line Feed) Injection Attack
    example
    Command Injection
    example: DNS Lookup (Visible Results) example: DNS Lookup (Blind Results) example: DNS Lookup ( Reverse Shell via command injection, also called 'shoveling' )
    Session Tokens stealing
    Weakness of Session Tokens Collect Session Credentials Session Abuse
    example: steal cookies without an alert message
    Session Fixation
    example: Authentication Bypass example: enumerate Authentication Bypass example: Mantain persistent Authentication
    Mitigation Session Fixation
    (Business Logic | Application Logic | Logic) Flaws
    Excessive trust in client-side controls
    Excessive trust in client-side controls: user can change constant parameters 2FA broken logic: choose to who send the 2FA code
    Failing to handle unconventional input
    High-Level logic vulnerability: parameter accept negative value Low-level logic flaw: int overflow Inconsistent handling of exceptional input: truncation of long strings
    Making flawed assumptions about user behavior
    Trusted users won't always remain trustworthy
    Inconsisten Security Control: Possibility of change the email to the email of an admin
    Users won't always supply mandatory input
    Weak isolation on dual-use endpoint: users can change administrator password Password reset broken logic
    Users won't always follow the intended sequence
    2FA simple bypass: After 2FA request go directly to the webpage account of the victim Insufficient workflow validation: jump checkout step Authentication bypass via flawed state machine: Administrator as default User-role
    Domain-specific flaws
    Flawed enforcement of business rules: Apply coupon multiples times Infinite money logic flaw
    Providing an encryption oracle
    Authentication bypass via encryption oracle
    Access Control
    IDOR
    XML external entity injection (XXE) (SSRF)
    Basics of how XXE works
    XML (markup language) DTD files Injection with Burp
    XXE: XML data visible in HTTP response Crystal/White Box Pentesting
    Client-Side
    Cross Site Scripting(XSS)
    Classes of XSS
    Reflected XSS (Non-Persistent)
    HTML Injection
    Test: Input is sanitized?
    Stored XSS (second-order OR persistent XSS)
    TEST: input text
    DOM-Based (Type 0)
    URI fragments (#) document.write(...) document.get ElementById('....')innerHTML=... JQuery attr() method AngularJS ng-app directive Labs to complete........
    Identify XSS contexts
    Determine location of the request in the response WAF bypass and filter tests
    Test common XSS tags & events for WAF bypass Test characters
    simple Encoding URL (percent encoding)
    BurpSuite ZAP Firefox Web Console + JavaScript
    Reverse engineering the developers' thoughts
    XSS Contexts (examples)
    XSS in HTML content
    All Tags filtered --> try to use custom ones Event Handlers blocked Event handlers and href attributes blocked
    XSS in Tag attributes
    Reflected XSS into attribute with angle brackets HTML-encoded Stored XSS into anchor href attribute Reflected XSS in canonical link tag
    XSS into JavaScript
    Terminating the existing script
    single quote and backslash escaped
    Breaking out of a JavaScript string
    angle brackets HTML encoded angle brackets and double quotes HTML encoded + single quotes escaped XSS in javascript:fetch with parenthesis blocked
    Making use of HTML-encoding
    XSS into onclick event with angle brackets and double quotes HTML-encoded and single quotes and backslash escaped
    XSS in JavaScript template literals
    XSS into a template literal with angle brackets, single, double quotes, backslash and backticks Unicode-escaped
    XSS into AngularJS sandbox
    XSS with AngularJS sandbox escape without strings Bypassing a CSP with an AngularJS sandbox escape
    XSS Wordlists Payloads
    XSS Backdoor (by BruteLogic)
    XSS Tools
    Interception Proxies XSSsniper XSSer XSScrapy
    Browser Exploitation (BeEF)
    Example Hook BeEF integration with Metasploit
    Asynchronous JavaScript and XML (AJAX)
    Mash-Ups Applications Attack Surface (larger than typical) AJAX Mapping (more dificult) AJAX Exploitation
    API Attacks Data Attacks
    JSON
    Example Exploitation JSON
    Exploit XSS (How can be used)
    Burp Collaborator to steal cookies Burp Collaborator to capture passwords
    Payload
    perform CSRF with XSS
    Mitigation
    Preventig Session Hijacking via XSS
    Cross-Site Request Forgery (CSRF/XSRF)
    Hunt for CSRF vulnerabilities How to construct a CSRF attack
    ZAP: generate CSRF Poc BurpSuite: Generate CSRF PoC
    CSRF vulnerabilities
    Validation of CSRF token depends on request method Validation of CSRF token depends on token being present CSRF token is not tied to the user session CSRF token is tied to a non-session cookie CSRF token is simply duplicated in a cookie
    Referer header vulnerabilities
    Validation of Referer depends on header being present
    real flaw found in WebCalendar
    POC: Testing Vulnerability POC: Exploit Vulnerability
    Validation of Referer can be circumvented
    CSRF mitigation
    Other vulnerabilities
    Subdomain Takeover
    Second-order subdomain takeovers mitigation
    Bypass Multi Factor Authentication (MFA)
    API testing File Upload
    reverse shells
    Web Shell execute file on the We Server
    Bypassing the Extension Black Listing Bypass Content-Type & add bytes of a real image Execution disabled on the Web Server Zseano methodology
    BruteForce POST parameters Wordlists & Payloads Bot Detection
    Bug Bounties
    Validate GitHub token connect to mysql database mongoDB Twitter auth twilio google maps AIZA key API key tests Postgresql
    Wi-Fi
    WiFi necessary hardware Configuration Dauth Attack
    Select Network and capture data Perform dauth attack
    wireshark
    handshake file Attempt to crack the handshake
    Wireshark
    Decrypt communications
    Databases
    Database Types Structured Query Language
    SQL Verbs SQL Modifiers SQL Data Types SQL Special Characters information_schema SQL queries inside a Web Applications
    MySQL
    Basic Usage dump mysql username and password functions
    load_file dumpfile
    User Defined Functions (UDF) login most known vulnerabilities
    CVE-2004-0627 CVE-2009-4484 CVE-2012-2122
    PostgreSQL
    Basic Usage functions
    Oracle Database
    enumerating SID Connect to the database
    MongoDB
    connect
    Redis
    System Security (Windows & Linux)
    Architecture
    CPU, Assembly and ISA
    Assembly (ASM) basics
    Process Memory
    Stack
    function call
    Instructions
    Data Transfers Control Flow NOPs
    Registers
    General Purpose Registers (GPRs)
    operations
    Endianness
    Assemblers, Debuggers and Tools
    Assembler
    NASM
    Installation
    NASMX Assembler a file Link files
    Compiler
    gcc/g++ (Dev-C++)
    Debugger
    Immunity Debugger
    CPU view
    find entry point of a function
    Modules view
    IDA Pro Microsoft Visual Studio C/C++
    Decompiler
    objdump (Dev-C++)
    Shellcoding
    Execution of a Shellcode Types of Shellcode Test if a Shellcode works Manually create a Shellcode from Assembly
    Search for the address of function in executable/dll that we want to call create a Shellcode
    Manually create a Shellcode from C++
    Search for the address of function in executable/dll that we want to call create a Shellcode
    Encoding custom Shellcode/payload
    NULL-free shellcode
    Manual encoding msfvenom encoding
    Automate creation of shellcode
    msfvenom
    Malware
    Classification
    Virus Trojan Horse
    ncat
    backdoor reverse backdoor
    persistent backdoor
    manually meterpreter
    metasploit
    Rootkit Keylogger Spyware Adware Dialer Botnet Ransomware Data Stealing Malware Worms Greyware
    Techniques used by malware
    Alternate Data Streams Kernel-mode Hooking techniques
    Hooking SSDT Hooking IRP
    Layered filter driver (Attached device) hook function pointer (IRP patching)
    User-mode hooking techniques (API hooking)
    IAT hooking EAT hooking Inline hooking
    Direct Kernel Object Manipulation (DKOM) Antidebugging and antivirtualization techniques Obfuscation Packers Polymorphism
    Metamorphism
    how malware spreads
    Cryptography and Password Cracking
    Cryptography
    Classification of Crypto-Algorithms Cryptographic Hash Function Public Key Infrastructure (PKI)
    Digital Signature Trust Chain (Hierarchical)
    Digital Certificate (X.509) Secure Sockets Layer (SSL) DNSSEC
    RRsets Zone-Signing Keys (ZKS) Key-Signing Keys (KSK) Delegation Signer (DS) NextSECure (NSEC)
    Web of Trust
    Pretty Good Privacy (PGP)
    Secure Shell (SSH) Cryptographic Attacks
    Brute Force Attacks
    sequence of the bruteforcing
    Dictionary Attacks
    custom dictionaries
    CeWL Rsmangler pw-inspector
    Rainbow Tables
    download Rainbow Tables
    Side Channel Attack Birthday Attack
    Security Pitfalls Implementing Cryptographic Systems
    Authentication
    Linux
    Hashing algorithms
    DES algorithm MD5 algorithm
    Where are stored the passwords hashes in Linux
    Windows
    Hashing algorithms
    LM algorithm NT algorithm
    Where are stored the passwords hashes in Windows
    Incident Handling
    Theorical Incident Handling Process
    Preparation
    Policy
    Response Strategies
    Notify Law Enforcement Peer Notification Take Notes
    Building a Team Team Organization Getting Access to Systems & Data GRR Rapid Response Prevent that an attacker cover his tracks
    Identification
    Cheat Sheets Where Does identification Occur? Initial Identification Assessment
    Containment
    Initial Analysis Short Term Long Term
    Eradication Recovery Lessons Learned
    Enterprise Incident Response
    Applied Incident Handling
    ICS
    PLC Programming
    ICS components
    Protocols
    DNP3 ICCP Modbus OPC
    ICS risks and threats
    IT vs OT Recommended Practices
    VM ICS
    Network Defense, Detection and Analysis
    Identify
    Mapping a ICS Network
    Protect
    shodan Network Segmentation Patch Management
    Detect Incident Respond and Recover
    Vulnerability Assessment
    Blockchain and Smart Contracts Ex
    Solidity
    Contracts State Variables & Integers Math Operations Structs Arrays Functions Declarations Struct and Arrays Private/Public functions & modifiers Keccak256 and Typecasting Events Web3.js: Ethereum Javascript frontend library Hello World HelloWorld_Bank.sol IDEs
    Vulnerabilities
    Integer Underflows and Overflows
    Withdraw Function Vulnerable to Underflow Transfer Function Vulnerable to a Batch Overflow
    Real-World-Scenario: ERC20 Beauty Chain Batch Overflow 2018
    Test locally the Attack
    Re-Entrancy
    Checks Effects Iteractions (CHI) Transfer funds within Solidity: Send vs Transfer Vs Call.Value Example: Attack to a Vulnerable code
    How to test it
    Fix the Vulnerability Case Study: The Dao Hack
    IDOR: InDirect Object Reference
    UI(Web or Mobile DApp) mitigations works? No! Enumerating functions in a contract Call Public Functions with Web3.js
    Connect Ganache to Remix Install Web3 and interact with Genache Call smart contract function from web3 Example: Fix with Simple Authorization
    Phishing Users With Malicious DAPS via TX.Origin
    How Tx.Origin and Msg.sender work (example) Vulnerable Tx.Origin contract (example)
    Delegate Call Attack Vectors
    Delegate Call vs “regular” Call (example 1) Variables in a Delegate Call (example 2) Case Study: Parity Wallet Attack
    Attack Transactions fallback function using Delegate Call
    Bad Randomness Implementations on the Blockchain
    Connect to Ganache how block.number and blockhash works (example) Vulnerable contract (contract)
    Pentesting Basics
    binary arithmetics
    decimal to binary bitwise operations hexadecimal
    linux
    X11( X Window System Server)
    buffers
    accounts networking
    check networking configure networking
    dhcp configuring interfaces
    ifconfig ifconfig vs ip
    ip routing
    show hosts in our network with and without a connection with a VPN Show routing table make unreachable a host configuring static route Persistent changes in the rounting table troubleshooting rooting issues
    DNS(Domain Name System)
    local name resolution
    host command getent command dig command
    firewall
    netfilter
    firewalld vs iptables
    iptables
    iptables tables iptables chains iptables command connection States connections tracked informations
    firewalld
    zones services IPset firewalld command
    ss command
    connection testing problems
    Troubleshooting
    file system find file install/remove program
    install vmware tools install Go packages
    decompress files shutdown sustem Edit file with Vim
    networking
    protocols
    packets protocol layers
    ISO/OSI layers IP protocol suite (TCP/IP)
    Link Layer
    IP and MAC adresses, how they work toghether Switches & CAM table Address Resolution Protocol (ARP)
    Internet Layer-Internet Protocol (IP)
    IPv4 Subnetting
    Calculate Subnet Subnets Sheet
    IPv6
    IPV6 Address Types
    Global Unicast Address
    NAT Router & routing table
    routing metric show hosts in our networks with and without a connection with a VPN configuring a static route
    Transport Layer
    TCP & UDP protocols
    TCP UDP
    Ports
    view listening ports on local computer
    netstat TCPView
    services
    -p23: telnet -p161,162: SNMP -p53: DNS service Ports on ICS(Industrial Control Systems)
    Application layer
    DNS
    local files DNS software
    DHCP
    Network defense
    Firewall
    NAT protocol PAT protocol
    IDS (Intrusion Detection System) IPS( Intrusion Prevention Systems)
    Windows
    NetBIOS SMB UNC paths
    C++
    input/output iteration and conditional structure
    conditional structure
    if switch
    iteration(loops)
    for while do-while
    jump
    return goto break continue
    pointers
    strings
    functions
    default: pass by value Pass-by-Reference with Reference Arguments Pass-by-Reference with Pointer Arguments
    preprocessor directives example: exploitation with C++
    remote connection Sockets in C++ directory stealer
    client socket(C++ program) socket server(with netcat)
    Python
    variables input/output iteration and conditional structure
    conditional structure
    if
    iteration(loops)
    for while
    jump
    pass
    lists
    methods
    dictionaries(mapping objects)
    methods Switch conditional structure
    functions
    scope of variables
    Libraries
    Requests library
    POSTs via Requests SSL/TLS via Requests
    argparse (command line arguments)
    import modules Networks ( use of Sockets)
    exchange messages
    server
    Listen for incoming messages send payload for Buffer Overflow application(single message)
    client
    Send messages Port scanner
    backdoor server: listen for client command
    server
    Backdoor: listen for client commands
    client
    send commands to server
    Web Applications (use of HTTP)
    HTTP requests
    library: http.client
    OPTIONS request GET request
    library: requests
    GET request + BeautifulSoup
    python server (Attacker)
    Bash
    Shells more used variables
    enviroment variables
    PATH
    special characters list commands
    cut clear curl grep man which xargs sort timeouts tr wc which
    network commands output redirectors
    mkfifo
    download/execute/extract file script files
    install software Add shortcut to the script Combine two text files
    iteration and conditional structure
    conditional structure
    if
    integer comparison string comparison
    iteration(loops)
    for while
    read lines from a file
    Shell on the linux machine cheatsheet
    Windows command line(cmd)
    commands
    cd dir find and findstr more move net
    add/remove accounts SMB share
    netsh
    firewall settings
    reg rename sc type
    variables enviroment variables
    PATH
    output redirections script files
    Compile Software
    Download files
    PowerShell
    Verbs (cmdlets)
    Export-Csv (epcsv) Get-Alias (gal) Get-ChildItem (dir, gci, ls) Get-Command (gcm) Get-Content (gc, cat, type) Get-Member (gm) Get-Help (help function) Get-Process (gps, ps) Get-Service (gsv) ForEach-Object (%, foreach) Format-List (fl) New-Object Out-Host (oh) Select-Object (select) Select-String (sls) Set-Location (cd) Where-Object (?, where)
    options
    -whatif -ExecutionPolicy -WindowStyle -Command -EncodedCommand -NoProfile -Version
    variables environment variables Modules (.psm1)
    Get-Module Import-Module
    Scripts (.ps1) Loops Objects
    processes .NET class objects
    Write on text file
    Ruby
    Basics of Ruby
    How execute Ruby Ruby script files
    load file from irb
    Libraries Gems Data Types
    Comments Numbers Strings
    methods
    freeze sub,sub!,gsub,gsub!
    Heredoc concatenation Interpolation
    Arrays
    Operations between arrays
    Ranges Hashes
    Control Structures
    Comparision Operators Conditionals Loops Iterators Enumerators Altering Structured Control Flow BEGIN/END
    Methods
    hashes arguments Block code argumnets (yield) Method Visibility
    Variables & Scope
    Local Variables Global variables Constants
    Classes
    Instance Variables Getter and Setter methods throug Metaprogramming Class methods Open Classes
    Subclassing and Inheritance (<)
    Methods overriding Specialize a method (super keyword)
    Modules Exceptions
    Regular Expressions
    Match method Scan method (String method) Special characters Syntax Global Variables
    Dates and Time
    Time
    arithmetic operations (active_support extension) format time (strftime method)
    Files and Directories
    Dir File
    Input/Output
    File Stream
    Read from file Write to file
    Extract info from files
    IP extraction
    xml format
    Ports extraction
    Normal format grepable format xml format
    Network Interaction
    High level sockets
    TCP server skeletons TIME client-server ping Scanning (Hosts alive) TCP Port Scanning (also MultiThreading) UDP Port Scannig
    Raw Sockets
    PacketFu
    Usage Forge ICMP packet Forge UDP packet Forge TCP packet Capture/sniff packet received
    promiscuous mode
    script: TCP SYN scan script: Packet Sniffer Network
    OS interaction Web Application interaction
    TCP Socket to interact with a Web Server Libraries and modules
    Net::HTTP library
    Identify reflection of the request in the response perform login with ruby Script: POST flooding Script: Bruteforce login HTTPS (SSL) Redirection Proxies
    URI
    data extraction through regular expressions
    Detect Reflected XSS into with Nokogiri
    Create a script with ruby
    arguments input
    Go
    Cloud
    Amazon Web Service (AWS)