Scribd
Upload
74 views

Penetration Testing Slides

This document discusses an introduction to penetration testing workshop hosted by NYP Infosec. It provides an overview of penetration testing and scanning techniques such as using Nmap to discover open ports and services on a target system. It also covers tools for web enumeration like GoBuster to brute force directories and DNS subdomain enumeration. Tips are provided on techniques like banner grabbing and using certificates to gather additional information about a target. The document emphasizes that scanning should only be done with permission and illegally accessing systems or data is prohibited.

Uploaded by

testerforallneeds
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
74 views

Penetration Testing Slides

This document discusses an introduction to penetration testing workshop hosted by NYP Infosec. It provides an overview of penetration testing and scanning techniques such as using Nmap to discover open ports and services on a target system. It also covers tools for web enumeration like GoBuster to brute force directories and DNS subdomain enumeration. Tips are provided on techniques like banner grabbing and using certificates to gather additional information about a target. The document emphasizes that scanning should only be done with permission and illegally accessing systems or data is prohibited.

Uploaded by

testerforallneeds
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 64

NYP INFOSEC 20xx

</ Introduction To
Penetration } /> [
Testing />

Tech Week Workshop

1011 011 01 1011001 10 11011 011 01 110110 110111 1101


Before we start…
This is for educational purposes.

Hacking into someone else's devices/network or


leaking someone else data is ILLEGAL!

If you get caught for doing so, NYP Infosec will not be
responsible for your actions!
So please, please. Think before you act.

1011 011 01 1011001 10 11011 011 01 110110 110111 1101


</ Table of contents
{01} {04}
Introduction Exploit

{02} {05}
Scanning Maintaining Access

{03} {06}
Enumeration Privilege Escalation

1011 011 01 1011001 10 11011 011 01 110110 110111 1101


</ Pre-event survey

1011 011 01 1011001 10 11011 011 01 110110 110111 1101


Pitch Deck 20xx

</>

Introduction 01
} /> [
1011 011 01 1011001 10 11011 011 01 110110 110111 1101
</ What is penetration testing?
“ A penetration test, also known as a pen test, is a
simulated cyberattack against your computer system to
check for exploitable vulnerabilities. ”
- Imperva
hacker>

1011 011 01 1011001 10 11011 011 01 110110 110111 1101


</ MITRE ATT&CK Framework

1011 011 01 1011001 10 11011 011 01 110110 110111 1101


</ Terms To Know
Port
● Ports are virtual entry points on a computer system, acting like doors or windows.
● They manage network connections and are associated with specific processes or services.
● Port numbers, assigned to each port, help computers distinguish between different types of traffic.
● Common Ports:
a. HTTP/HTTPS: 80/443
b. DNS: 53
c. SSH: 22
d. SMB: 445

1011 011 01 1011001 10 11011 011 01 110110 110111 1101


</ Terms To Know
Web Server

1011 011 01 1011001 10 11011 011 01 110110 110111 1101


</ Terms To Know
Owasp Top 10

1011 011 01 1011001 10 11011 011 01 110110 110111 1101


NYP Infosec 20xx

</>

Scanning 02
} /> [
1011 011 01 1011001 10 11011 011 01 110110 110111 1101
Scanning and Reconnaissance
● Reconnaissance is also known as information gathering. It involves unauthorized discovery and mapping of
systems, services, or vulnerabilities. This data can be used for planning and executing successful attack.

● Common steps of reconnaissance:


1. Ping sweep
2. Determine type and version of application and OS.
3. Look for vulnerable services to be exploited.

● Common tools used: Google, Nmap, Wireshark, Metasploit, Netcat etc.

1011 011 01 1011001 10 11011 011 01 110110 110111 1101


Nmap
● Nmap is open-source software, which supports host discovery, port scanning, service
version detection, and vulnerability assessment.

● What does nmap <target> do?


○ Pings target, to determine whether it is up and running.
○ Launch TCP port scan of most popular 1,000 ports.
○ Prints the results in normal human-readable format, and exits.

! Make sure you have permission before you scan a system you do not own. !

1011 011 01 1011001 10 11011 011 01 110110 110111 1101


Nmap
● Nmap default script scan using -sC parameter.

● Nmap service/version information using -sV parameter.

● Nmap ‘everything’ using -A parameter.


-A: Enable OS detection, version detection, script scanning, and traceroute.

! Make sure you have permission before you scan a system you do not own. !

1011 011 01 1011001 10 11011 011 01 110110 110111 1101


Nmap
● Syntax: nmap <target>

○ PORT header provides the port number and protocol.


○ STATE header provides the state of port.
○ SERVICE header here is just a guess by looking up the port in nmap-services. It
will be unknown if the ports had no name registered in that file.

1011 011 01 1011001 10 11011 011 01 110110 110111 1101


Why can’t we just -A to nmap everything?

1011 011 01 1011001 10 11011 011 01 110110 110111 1101


Attacking Network
Services

1011 011 01 1011001 10 11011 011 01 110110 110111 1101


Banner Grabbing
● Banner grabbing is a technique to gain information about a computer system and the services
running on its open ports.
● Usage: Hackers can perform a banner-grabbing attack to discover insecure and vulnerable
applications and exploits.
● Tools: nmap, netcat, telnet, wget
● Netcat syntax: nc -v <target> <port>

○ nc: netcat
○ -v: verbose mode

1011 011 01 1011001 10 11011 011 01 110110 110111 1101


Banner Grabbing
● Nmap syntax: nmap -sV --script=banner <target>

○ -sV: displays service/version information.


○ --script=banner: Runs a script scan using banner script.

1011 011 01 1011001 10 11011 011 01 110110 110111 1101


FTP (File Transmission Protocol)
● FTP is a standard communication protocol used for transfer of computer files from server to client
on computer network. The default port for FTP is 21.
● By doing a nmap scan, we can see the FTP service open and running on port 21.

1011 011 01 1011001 10 11011 011 01 110110 110111 1101


FTP (File Transmission Protocol)
● We can connect to the service using ftp command-line utility. A vulnerable FTP service will allow
an anonymous account to access the service.

1011 011 01 1011001 10 11011 011 01 110110 110111 1101


SMB (Server Message Block)
● SMB is a network file sharing protocol that allows applications to read and write to files and
request services from server programs.
● SMB shares allows users to share folders and make them accessible remotely. A tool to interact
and enumerate with SMB shares is smbclient.

1011 011 01 1011001 10 11011 011 01 110110 110111 1101


SMB (Server Message Block)
● The -L flag specifies a list of available shares on the remote host, while -N suppresses the
password prompt.

● smbclient command:
smbclient -U '%' -N \\\\<IP>\\<SHARE> # session to connect to a share
smbclient -U '<USER>' \\\\<IP>\\<SHARE> # authenticated session (you will be prompted for
password)

1011 011 01 1011001 10 11011 011 01 110110 110111 1101


NYP Infosec 20xx

</>

Enumeration 03
} /> [
1011 011 01 1011001 10 11011 011 01 110110 110111 1101
What is Web Enumeration?
During service scanning, you often run into servers in port 80 and 443, but what
are they?

● Hypertext Transfer Protocol(HTTP): port 80


● HTTPS(S for secure): port 443

● HTTP/HTTPS are application layer protocols used for web applications

● These web applications usually give opportunities for the perpetrator to attack.

1011 011 01 1011001 10 11011 011 01 110110 110111 1101


What is Web Enumeration?
Web application - a software on the World Wide Web that runs on your web
browser

Enumeration - process of systematically probing a target for information

So, web enumeration is the gathering of useful information from a web


application/web server. Even information not intended for public access!

1011 011 01 1011001 10 11011 011 01 110110 110111 1101


GoBuster
GoBuster is a versatile tool that allows for
● performing DNS
● vhost
● directory brute forcing
● enumeration of public AWS S3 buckets

we will be focusing on the directory (and file) bruteforcing modes specified with the
switch dir

1011 011 01 1011001 10 11011 011 01 110110 110111 1101


GoBuster

1011 011 01 1011001 10 11011 011 01 110110 110111 1101


GoBuster
HTTP Status codes
● 200: successful resource request
● 403: forbidden access to the resource
● 404: resource not found on the web server
● 301: redirection

Results:
● Wordpress installation was identified at /wordpress
● visiting http://10.10.10.121/wordpress reveals that WordPress is still in setup
mode, which will allow us to gain remote code execution (RCE) on the server

1011 011 01 1011001 10 11011 011 01 110110 110111 1101


DNS Subdomain Enumeration
● Essential resources are also usually hosted on subdomains
● We can use tools like Gobuster(using dns flag), with the help of Seclist to
enumerate available subdomains

Seclist: GitHub repository, which contains many useful lists for fuzzing and
exploitation

1011 011 01 1011001 10 11011 011 01 110110 110111 1101


DNS Subdomain Enumeration

1011 011 01 1011001 10 11011 011 01 110110 110111 1101


Web enumeration tips
● Banner Grabbing/Web Server Headers: headers can contain a lot of useful
information such as specific application framework in use, the authentication
options. Use tools like curl to retrieve it

● Whatweb: Command-line tool that can extract the version of web servers,
supporting frameworks, and applications can also automate enumeration
processes

● Certificates: SSL/TLS certificates can reveal details such as the company's


email address

1011 011 01 1011001 10 11011 011 01 110110 110111 1101


Web enumeration tips
● Robots.txt: common file that instructs search engine web crawlers which
resources can and cannot be accessed for indexing. Accessing robots.txt can thus
reveal sensitive resources

● Source code: Websites essentially work by sending code(HTML,PHP,JS) to your


browser. It is thus worth it to check the source code(Ctrl+U) to find valuable
information

1011 011 01 1011001 10 11011 011 01 110110 110111 1101


Pitch Deck 20xx

</>

Exploit 04
} /> [
1011 011 01 1011001 10 11011 011 01 110110 110111 1101
Metasploit Framework
(MSF)

1011 011 01 1011001 10 11011 011 01 110110 110111 1101


Public Exploits
Once identifying the services running on ports identified from our Nmap scan, the first
step is to look if any of the applications/services have any public exploits.

Public exploits can be found for web applications and other applications running on
ports, like SSH or FTP.

1011 011 01 1011001 10 11011 011 01 110110 110111 1101


Finding Public Exploits
● Google the application name with exploit to see if we get any results

1011 011 01 1011001 10 11011 011 01 110110 110111 1101


Searchsploit
A well known tool to search for public exploits is searchsploit.

We can use this to search for public vulnerabilities/exploits for any application. We can
install it using the following command:

MTHYYYY@htb[/htb]$ sudo apt install exploitdb -y

1011 011 01 1011001 10 11011 011 01 110110 110111 1101


Searchsploit
We can use it to search for a specific application by its name, as follows:

1011 011 01 1011001 10 11011 011 01 110110 110111 1101


Metasploit Primer
Metasploit is a very useful tool for pentesters as it contains everything you need to gain
IA (initial access).
● Run recon scripts to enumerate remote host and compromise targets.
● Verify scripts to test the existence of a vulnerability without actually compromising the target.
● Meterpreter, which is a great tool to connect to shells and run commands on the compromised targets.
● Many post-exploitation and pivoting tools

1011 011 01 1011001 10 11011 011 01 110110 110111 1101


NYP Infosec 20xx

</>

Maintaining
Access
05
} /> [
1011 011 01 1011001 10 11011 011 01 110110 110111 1101
What is a Shell?
Shell is a program that passes commands Inputted by users to the Operating System to
perform specific functions

Used to be the only interface that allows users to interact with systems

“Getting a shell”:

- Attackers have gained access to the shell of the victim’s system, allowing the
attackers to run any command on the system as if they were the host.

1011 011 01 1011001 10 11011 011 01 110110 110111 1101


Types of Shell
Shells can be used to establish and maintain a connection between attackers and the
system they are attacking. These are 3 types of shells that can be used.

Shell Type Description

Reverse Shell Initiates a connection back to a "listener" on the attacker’s system.

Bind Shell "Binds" to a specific port on the target host and waits for a connection from our attack’s system.

Web Shell Runs operating system commands via the web browser, typically not
interactive or semi-interactive.

1011 011 01 1011001 10 11011 011 01 110110 110111 1101


Reverse Shell
Simplest and most common shell type.

Connects the attacker to the victim’s system through a “Listener”

Once a vulnerability in the target’s system is identified, attackers can start a


Netcat Listener to listen to a specific port

With the listener inplace, attackers can execute a reverse shell command to
establish a remote connection between the attacker and the victim’s system and
shell.

1011 011 01 1011001 10 11011 011 01 110110 110111 1101


NetCat Listener Flag Description

-l Listen mode, to wait for a connection to


connect to the attacker.
Can be use to view data by using open
-v Verbose mode, so that attackers know
ports when we receive a connection.

First step is to choose the Port to -n Disable DNS resolution and only
connect from/to IPs, to speed up the
“listen” too connection.

Flags Used (Describes what the programme


will do)

Port Number (specifies which port


to listen to)

1011 011 01 1011001 10 11011 011 01 110110 110111 1101


NetCat Listener
Once the port is found and connection is establish, the attacker will be alerted by the
Netcat Listener

The attacker can now execute commands and get the output back directly, right in
their machine

IP Address of Victim IP Address of Attacker

1011 011 01 1011001 10 11011 011 01 110110 110111 1101


Reverse Shell Commands
The commands executed depends on the the Host’s operating System (Whether it is
Linux or Windows)

Allows attackers to fully access the victim’s system

ShellCode for Powershell (Window’s shell):

1011 011 01 1011001 10 11011 011 01 110110 110111 1101


Bind Shell
Unlike a reverse shell, the Bind Shell require attackers to connect to it, instead of the
shell connecting to us.
Will take place on the target’s Listening Port.
Using a bind shell command, It will start listening on a port on the remote host and bind
the victim’s shell to it
Attackers can then use Netcat to gain control through the shell on the victim’s system.

1011 011 01 1011001 10 11011 011 01 110110 110111 1101


Bind Shell Command
Just like Reverse Shells, different commands are required depending on the victim’s
Operation System

Code for Powershell (Window’s Shell):

1011 011 01 1011001 10 11011 011 01 110110 110111 1101


NetCat Connection
-Once the Bind Shell Command is executed, attackers can now establish a connection to it
using Netcat.
Victim’s IP address Port with the Bind Shell

-Unlike Reverse Shell, attackers can connect to a bind shell even when connection is
loss.
-However if the victim’s system is rebooted or the Bind Shell Command is stopped,
access to the Bind Shell will be loss and the entire process will have to start over again.

1011 011 01 1011001 10 11011 011 01 110110 110111 1101


Upgrade TTY
The User interface attackers will see when using netcat will be very limited at first.
In order to gain more control, attackers need to Upgrade their TTY(TeleTYpe:A
terminal that allows you to interact with the system)

For a Netcat connection, the TTY can be updated using Python and
STTY(SetTeleTYpewriter:Changes terminal/TTY settings) code.

1011 011 01 1011001 10 11011 011 01 110110 110111 1101


Web Shell
Web shells are typically web scripts that access our commands using HTTP request
parameters to execute commands

Output will be printed on a web page

1011 011 01 1011001 10 11011 011 01 110110 110111 1101


Writing A Web Shell
Creating a Web Shell is easy and requires only a single line of code

Code for PHP:

1011 011 01 1011001 10 11011 011 01 110110 110111 1101


Uploading A Web Shell
After creating a Web Shell, it has to be
uploaded to the host’s web directory (webroot) Web Server Default Webroot

Apache /var/www/html/
This allows the script to be executed through
the web browser Nginx /usr/local/nginx/html/

IIS c:\inetpub\wwwroot\
There are the different default webroots for
various web servers XAMPP C:\xampp\htdocs\

1011 011 01 1011001 10 11011 011 01 110110 110111 1101


Accessing Web Shell
Web shell an be accessed through either a browser or a CURL(Provides a library and
command line tool for transferring data using network protocols)

Web Shells are powerful as it bypasses the victim's firewalls by using already open
ports like port 80 and port 443 rather than accessing new ones

Web shells will remain connected even after the Hosts system reboots

Web shells are less interactive than other shells

1011 011 01 1011001 10 11011 011 01 110110 110111 1101


NYP INFOSEC 20xx

</>

Privilege
Escalation
06
} /> [
1011 011 01 1011001 10 11011 011 01 110110 110111 1101
Priv Esc
● First Access is usually low level privilege user
access, unable to have full control
● Privilege Escalation would enable higher
privileges, to execute commands or get data
● Root user in Linux, administrator/SYSTEM on
Windows

1011 011 01 1011001 10 11011 011 01 110110 110111 1101


</ Enumeration Scripts
● Find weaknesses in the system and report on vulnerabilities
● Weaknesses: old kernel or software
● Scripts may trip up on AV software, so manual enumeration may be needed
● Tools:
○ LinEnum and linuxprivchecker(linux)
○ Seatbelt and JAWS(windows)
○ Privilege Escalation Awesome Scripts SUITE (PEASS)

LinPEAS

1011 011 01 1011001 10 11011 011 01 110110 110111 1101


</ LinPEAS example usage
● Be in the machine you are testing(victim machine)
● Download the LinPEAS script from github and start a simple server to host the script on attacker machine
● Download the script in victim machine using wget and run the script
● Sample Output:

1011 011 01 1011001 10 11011 011 01 110110 110111 1101


</ Kernel Exploit & Vuln Software
Kernel/OS
Using the previous step, can identify a vulnerable/outdated kernel
Google the OS information to see if there is any available online exploits

Vulnerable Software
Using the previous steps, you can find vulnerable software we can use to priv esc
Example the Sudo version on the internet leads to CVE-2021-3156: Heap-Based Buffer Overflow in Sudo which can allow
priv esc

1011 011 01 1011001 10 11011 011 01 110110 110111 1101


</ Scheduled Tasks/Cron Jobs
● They are methods to have scripts run at specific intervals to carry out a task. Schedules tasks in Windows and Cron
Jobs in Linux.
● Eg: AV scan running every hour
● We can either add new tasks or execute malicious tasks
● Eg: In linux, maintaining scheduled tasks is through Cron Jobs. We can add new tasks to execute a script to get a
reverse shell if we have write access.
Directories to add new jobs include:
1. /etc/crontab
2. /etc/cron.d
3. /var/spool/cron/crontabs/root

1011 011 01 1011001 10 11011 011 01 110110 110111 1101


</ Poor Config
● Poor configuration may lead to exposed credentials which may be root user.
● We can look for files we can read and see if they contain any exposed credentials.

1011 011 01 1011001 10 11011 011 01 110110 110111 1101


</ Poor Config
● Poor config can allow read access over the .ssh directory.
● Find private ssh keys in /home/user/.ssh/id_rsa or /root/.ssh/id_rsa.
● Read the id_rsa file, copy it to our machine and use the -i flag to log in with it as potential root:

1011 011 01 1011001 10 11011 011 01 110110 110111 1101


NYP INFOSEC 20xx

</
Thanks! } /> [
Quiz Time!
/>
CREDITS: This presentation template was created by
Slidesgo, and includes icons by Flaticon, and infographics
& images by Freepik

Please keep this slide for attribution

1011 011 01 1011001 10 11011 011 01 110110 110111 1101

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy