Advertisement
joemccray

Network Penetration Testing Basics

Jun 10th, 2019
1,934
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 18.37 KB | None | 0 0
  1. Step 1: Download Nmap
  2. --------------------
  3. Windows: https://nmap.org/dist/nmap-7.70-setup.exe
  4. Mac OS X: https://nmap.org/dist/nmap-7.70.dmg
  5.  
  6. Linux:
  7. --- Fedora/CentOS/RHEL: sudo yum install -y nmap
  8. --- Ubuntu/Mint/Debian: sudo apt-get install -y nmap
  9.  
  10.  
  11.  
  12. ########################
  13. # Scanning Methodology #
  14. ########################
  15.  
  16. - Ping Sweep
  17. What's alive?
  18. ------------
  19. Note: On windows you won't need to use the word "sudo" in front of the command below:
  20.  
  21. ---------------------------On Linux or Mac OS X type This-----------------------------------
  22. sudo nmap -sP 157.166.226.*
  23.  
  24. ---------------------------or on Windows type:---------------------------------------------
  25. c:\nmap -sP 157.166.226.*
  26.  
  27. --------------------------------------------------------------------------------------------
  28.  
  29.  
  30.  
  31. -if -SP yields no results try:
  32. Note: On windows you won't need to use the word "sudo" in front of the command below:
  33. ---------------------------On Linux or Mac OS X type This-----------------------------------
  34. sudo nmap -sL 157.166.226.*
  35.  
  36. ---------------------------or on Windows type:---------------------------------------------
  37. c:\nmap -sL 157.166.226.*
  38.  
  39. ------------------------------------------------------------------------------------------
  40.  
  41.  
  42.  
  43. -Look for hostnames:
  44. Note: On windows you won't need to use the word "sudo" in front of the command below:
  45. ---------------------------On Linux or Mac OS X type This-----------------------------------
  46. sudo nmap -sL 157.166.226.* | grep com
  47.  
  48. ---------------------------or on Windows type:---------------------------------------------
  49. c:\nmap -sP 157.166.226.* | findstr "cnn"
  50.  
  51. -------------------------------------------------------------------------------------------
  52.  
  53.  
  54.  
  55. - Port Scan
  56. What's where?
  57. ------------
  58. Note: On windows you won't need to use the word "sudo" in front of the command below:
  59. ---------------------------On Linux or Mac OS X type This-----------------------------------
  60. sudo nmap -sS 162.243.126.247
  61.  
  62. ---------------------------or on Windows type:----------------------------------------------
  63. c:\nmap -sS 162.243.126.247
  64.  
  65. --------------------------------------------------------------------------------------------
  66.  
  67.  
  68.  
  69. - Bannergrab/Version Query
  70. What versions of software are running
  71. -------------------------------------
  72. Note: On windows you won't need to use the word "sudo" in front of the command below:
  73. ---------------------------On Linux or Mac OS X type This-----------------------------------
  74. sudo nmap -sV 162.243.126.247
  75.  
  76. ---------------------------or on Windows type:---------------------------------------------
  77. c:\nmap -sV 162.243.126.247
  78. -------------------------------------------------------------------------------------------
  79.  
  80.  
  81.  
  82. Let's dig into this a little bit more:
  83. -------------------------------------
  84. Note: On windows you won't need to use the word "sudo" in front of the command below:
  85. ---------------------------On Linux or Mac OS X type This-----------------------------------
  86. sudo nmap -sV --script=http-headers 162.243.126.247 -p 80,443
  87.  
  88. ---------------------------or on Windows type:---------------------------------------------
  89. c:\nmap -sV --script=http-headers 162.243.126.247 -p 80,443
  90. -------------------------------------------------------------------------------------------
  91.  
  92.  
  93.  
  94. - Vulnerability Research
  95. Lookup the banner versions for public exploits
  96. ----------------------------------------------
  97. http://exploit-db.com
  98. http://securityfocus.com/bid
  99. https://packetstormsecurity.com/files/tags/exploit/
  100.  
  101. ---------------------------------------------------------------------------------------------------------------------------------
  102. The purpose of this class is to help students learn how to address the common issues in Hacking Challenge Lab courses.
  103.  
  104.  
  105.  
  106.  
  107. ##############################################################################################################
  108. # Preparing for challenge lab exams like OSCP, and also how to play in network attack style CTF competitions #
  109. ##############################################################################################################
  110.  
  111. Issue 1. Lack of a thorough attack process
  112. ==========================================
  113. - Host discovery
  114. - Service discovery
  115. - Service version discovery
  116. - Vulnerability research
  117. - Linux (port 111)/Window (port 445) Enumeration
  118. - Webserver vulnerability scan
  119. - Directory brute force every webserver
  120. - Analyze source code of every web app (look for IPs, usernames/passwords, explanations of how stuff works)
  121. - Brute force all services
  122.  
  123.  
  124. Issue 2. Lack of automation of the process
  125. ==========================================
  126. - Research attacks scripts on the internet to enhance your methodology
  127.  
  128.  
  129. Issue 3. Failing to document all steps being performed and their output
  130. =======================================================================
  131.  
  132.  
  133. Issue 4. Lack of sleep during the exam
  134. ======================================
  135.  
  136.  
  137. Issue 5. Failing to reboot target machines prior to attack
  138. ==========================================================
  139.  
  140.  
  141.  
  142. --------------------------------------------------------------------------------------------------------------
  143.  
  144.  
  145. A good strategy to use to prepare would be:
  146.  
  147. Step 1. Ensure that you are comfortable with Linux
  148. --------------------------------------------------
  149. - LinuxSurvival.com (you should be able to comfortably pass all 4 quizzes)
  150. - Comptia Linux+ (You should be just a hair under a Linux system administrator in skill level, simple shell scripting, and well beyond a Linux user skill level)
  151.  
  152. You should be very comfortable with the material covered in the videos below (Go through all of them twice if you are new to Linux):
  153. https://www.youtube.com/playlist?list=PLCDA423AB5CEC8FDB
  154. https://www.youtube.com/playlist?list=PLtK75qxsQaMLZSo7KL-PmiRarU7hrpnwK
  155. https://www.youtube.com/playlist?list=PLcUid3OP_4OXOUqYTDGjq-iEwtBf-3l2E
  156.  
  157.  
  158.  
  159. 2. You should be comfortable with the following tools:
  160. ------------------------------------------------------
  161.  
  162. Nmap:
  163. https://www.youtube.com/playlist?list=PL6gx4Cwl9DGBsINfLVidNVaZ-7_v1NJIo
  164.  
  165. Metasploit:
  166. https://www.youtube.com/playlist?list=PL6gx4Cwl9DGBmwvjJoWhM4Lg5MceSbsja
  167.  
  168. Burp Suite:
  169. https://www.youtube.com/playlist?list=PLv95pq8fEyuivHeZB2jeC435tU3_1YGzV
  170.  
  171. Sqlmap:
  172. https://www.youtube.com/playlist?list=PLA3E1E7A07FD60C75
  173.  
  174. Nikto:
  175. https://www.youtube.com/watch?v=GH9qn_DBzCk
  176.  
  177. Enum4Linux:
  178. https://www.youtube.com/watch?v=hA5raaGOQKQ
  179.  
  180. RPCINFO/SHOWMOUNT:
  181. https://www.youtube.com/watch?v=FlRAA-1UXWQ
  182.  
  183. Hydra:
  184. https://www.youtube.com/watch?v=rLtj8tEmGso
  185.  
  186.  
  187.  
  188. 3. You need to comfortable with basic exploit development
  189. ---------------------------------------------------------
  190.  
  191. Basic assembly:
  192. https://www.youtube.com/playlist?list=PLue5IPmkmZ-P1pDbF3vSQtuNquX0SZHpB
  193.  
  194. Basic exploit development (first 5 videos in the playlist):
  195. https://www.youtube.com/playlist?list=PLWpmLW-3AVsjcz_VJFvofmIFVTk7T-Ukl
  196.  
  197.  
  198. 4. You need to be comfortable with privilege escalation
  199. -------------------------------------------------------
  200. Linux
  201. https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
  202.  
  203. Windows
  204. https://www.sploitspren.com/2018-01-26-Windows-Privilege-Escalation-Guide/
  205. http://www.fuzzysecurity.com/tutorials/16.html
  206.  
  207. ----------------------------------------------------------------------------------------------------------------------------------
  208.  
  209.  
  210.  
  211.  
  212.  
  213.  
  214. #############################
  215. # Playing around in the lab #
  216. #############################
  217.  
  218.  
  219.  
  220. Some tools to install:
  221. ---------------------------Type This-----------------------------------
  222. wget --no-check-certificate https://dl.packetstormsecurity.net/UNIX/scanners/propecia.c
  223. gcc propecia.c -o propecia
  224. sudo cp propecia /bin
  225. -----------------------------------------------------------------------
  226.  
  227.  
  228.  
  229.  
  230. ##############################
  231. # Scanning Process to follow #
  232. ##############################
  233.  
  234. Step 1: Host Discovery
  235. ----------------------
  236.  
  237. ---------------------------Type This-----------------------------------
  238. nmap -sP 172.31.2.0/24
  239.  
  240. nmap -sL 172.31.2.0/24
  241.  
  242. nmap -sS --open -p 22,445 172.31.2.0/24
  243.  
  244. propecia 172.31.2 22 > file1
  245. propecia 172.31.2 445 > file2
  246. cat file1 file2 > file3
  247. cat file3 | sort -t . -k 3,3n -k 4,4n | uniq > lab.txt
  248. cat lab.txt
  249. -----------------------------------------------------------------------
  250.  
  251.  
  252. Step 2: Port Scan
  253. -----------------
  254. nmap -sS <IP-ADDRESS>
  255. nmap -sU -p 69,161 <IP-ADDRESS>
  256.  
  257.  
  258. ---------------------------Type This-----------------------------------
  259. sudo nmap -sS 172.31.2.0/24
  260. sudo nmap -sU -p 69,161 172.31.2.0/24
  261. -----------------------------------------------------------------------
  262.  
  263.  
  264. Step 3: Bannergrab
  265. ------------------
  266. nmap -sV <IP-ADDRESS>
  267. nmap -sV -p- <IP-ADDRESS>
  268. |
  269. ----> Vulnerability Research
  270.  
  271. ---------------------------Type This-----------------------------------
  272. sudo nmap -sV 172.31.2.0/24
  273. -----------------------------------------------------------------------
  274.  
  275.  
  276.  
  277.  
  278. Step 4: Enumerate common Windows/Linux file sharing services
  279. Step 3 is where most people STOP, and you need to move on and look deeper
  280. ------------------------------------------------------------
  281.  
  282. ---------------------------Type This-----------------------------------
  283. sudo apt install smbclient libnss-winbind winbind
  284. git clone https://github.com/portcullislabs/enum4linux.git
  285. cd enum4linux/
  286. perl enum4linux.pl -U 172.31.2.11
  287.  
  288. nmap -Pn -n --open -p111 --script=nfs-ls,nfs-showmount,nfs-statfs,rpcinfo 172.31.2.86
  289. ---------------------------------------------------------------------------------------
  290.  
  291.  
  292.  
  293. Step 5: Vulnerability Scan the webservers
  294. -----------------------------------------
  295. git clone https://github.com/sullo/nikto.git Nikto2
  296.  
  297. cd Nikto2/program
  298.  
  299. perl nikto.pl -h <IP-ADDRESS>
  300.  
  301.  
  302.  
  303. Step 6: Directory Bruteforce every webserver
  304. --------------------------------------------
  305. sudo apt install -y libcurl4-openssl-dev
  306.  
  307. git clone https://github.com/v0re/dirb.git
  308.  
  309. cd dirb/
  310.  
  311. ./configure
  312.  
  313. make
  314.  
  315. ./dirb
  316.  
  317. ./dirb http://<IP-ADDRESS> wordlists/big.txt
  318.  
  319.  
  320.  
  321.  
  322.  
  323. Step 7: Analyze source code of all webpages found
  324. -------------------------------------------------
  325. lynx -dump "http://<IP-ADDRESS>" | grep -o "http:.*" > links
  326.  
  327. If you ever need to download an entire Web site, perhaps for off-line viewing, wget can do the job—for example:
  328.  
  329. $ wget \
  330. --recursive \
  331. --no-clobber \
  332. --page-requisites \
  333. --html-extension \
  334. --convert-links \
  335. --restrict-file-names=windows \
  336. --domains website.org \
  337. --no-parent \
  338. www.website.org/tutorials/html/
  339.  
  340.  
  341. This command downloads the Web site www.website.org/tutorials/html/.
  342.  
  343. The options are:
  344.  
  345. --recursive: download the entire Web site.
  346.  
  347. --domains website.org: don't follow links outside website.org.
  348.  
  349. --no-parent: don't follow links outside the directory tutorials/html/.
  350.  
  351. --page-requisites: get all the elements that compose the page (images, CSS and so on).
  352.  
  353. --html-extension: save files with the .html extension.
  354.  
  355. --convert-links: convert links so that they work locally, off-line.
  356.  
  357. --restrict-file-names=windows: modify filenames so that they will work in Windows as well.
  358.  
  359. --no-clobber: don't overwrite any existing files (used in case the download is interrupted and resumed).
  360.  
  361.  
  362.  
  363. Step 8: Bruteforce any services you find
  364. ----------------------------------------
  365. sudo apt install -y zlib1g-dev libssl-dev libidn11-dev libcurses-ocaml-dev libpcre3-dev libpq-dev libsvn-dev libssh-dev libmysqlclient-dev libpq-dev libsvn-devcd ~/toolz
  366. git clone https://github.com/vanhauser-thc/thc-hydra.git
  367. cd thc-hydra
  368. ./configure
  369. make
  370. hydra -L username.txt -P passlist.txt ftp://<IP-ADDRESS
  371. hydra -l user -P passlist.txt ftp://<IP-ADDRESS
  372.  
  373.  
  374.  
  375. ##########################
  376. # Step 1: Host Discovery #
  377. ##########################
  378.  
  379. Reason:
  380. -------
  381. You have to discover the reachable hosts in the network before you can attack them.
  382.  
  383.  
  384. Hosts discovery syntax:
  385. -----------------------
  386. nmap -sP 172.31.2.0/24
  387. propecia 172.31.2 22 > file1
  388. propecia 172.31.2 445 > file2
  389. cat file1 file2 > file3
  390. cat file3 | sort -t . -k 3,3n -k 4,4n | uniq > lab.txt
  391. cat lab.txt
  392.  
  393. Issues:
  394. -------
  395. Issue we had to deal with was hosts that didn't respond to ICMP
  396.  
  397.  
  398.  
  399.  
  400.  
  401. Hosts discovered:
  402. -----------------
  403. 172.31.2.24
  404. 172.31.2.47
  405. 172.31.2.86
  406. 172.31.2.117
  407. 172.31.2.181
  408. 172.31.2.217
  409. 172.31.2.238
  410. 172.31.2.254
  411.  
  412.  
  413.  
  414.  
  415. #############################
  416. # Step 2: Service Discovery #
  417. #############################
  418.  
  419. sudo nmap -sS -p 22,135,80,445,8080 -iL lab.txt
  420. Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-17 19:46 EDT
  421. Nmap scan report for 172.31.2.24
  422. Host is up (0.42s latency).
  423.  
  424. PORT STATE SERVICE
  425. 22/tcp closed ssh
  426. 80/tcp open http
  427. 135/tcp closed msrpc
  428. 445/tcp open microsoft-ds
  429. 8080/tcp open http-proxy
  430.  
  431. Nmap scan report for 172.31.2.47
  432. Host is up (0.52s latency).
  433.  
  434. PORT STATE SERVICE
  435. 22/tcp open ssh
  436. 80/tcp open http
  437. 135/tcp closed msrpc
  438. 445/tcp closed microsoft-ds
  439. 8080/tcp closed http-proxy
  440.  
  441. Nmap scan report for 172.31.2.86
  442. Host is up (0.13s latency).
  443.  
  444. PORT STATE SERVICE
  445. 22/tcp open ssh
  446. 80/tcp open http
  447. 135/tcp closed msrpc
  448. 445/tcp open microsoft-ds
  449. 8080/tcp open http-proxy
  450.  
  451. Nmap scan report for 172.31.2.117
  452. Host is up (0.57s latency).
  453.  
  454. PORT STATE SERVICE
  455. 22/tcp open ssh
  456. 80/tcp open http
  457. 135/tcp closed msrpc
  458. 445/tcp closed microsoft-ds
  459. 8080/tcp closed http-proxy
  460.  
  461. Nmap scan report for 172.31.2.181
  462. Host is up (0.69s latency).
  463.  
  464. PORT STATE SERVICE
  465. 22/tcp open ssh
  466. 80/tcp closed http
  467. 135/tcp closed msrpc
  468. 445/tcp closed microsoft-ds
  469. 8080/tcp closed http-proxy
  470.  
  471. Nmap scan report for 172.31.2.217
  472. Host is up (0.26s latency).
  473.  
  474. PORT STATE SERVICE
  475. 22/tcp open ssh
  476. 80/tcp open http
  477. 135/tcp filtered msrpc
  478. 445/tcp closed microsoft-ds
  479. 8080/tcp closed http-proxy
  480.  
  481. Nmap scan report for 172.31.2.238
  482. Host is up (0.57s latency).
  483.  
  484. PORT STATE SERVICE
  485. 22/tcp open ssh
  486. 80/tcp open http
  487. 135/tcp closed msrpc
  488. 445/tcp closed microsoft-ds
  489. 8080/tcp closed http-proxy
  490.  
  491. Nmap scan report for 172.31.2.254
  492. Host is up (0.68s latency).
  493.  
  494. PORT STATE SERVICE
  495. 22/tcp open ssh
  496. 80/tcp closed http
  497. 135/tcp closed msrpc
  498. 445/tcp closed microsoft-ds
  499. 8080/tcp closed http-proxy
  500.  
  501. Nmap done: 8 IP addresses (8 hosts up) scanned in 3.76 seconds
  502. infosecaddicts@osboxes:~/toolz$
  503.  
  504.  
  505. #####################################
  506. # Step 3: Service Version Discovery #
  507. #####################################
  508. infosecaddicts@osboxes:~/toolz$ sudo nmap -sV -p 22,135,80,445,8080 -iL lab.txt
  509. Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-17 19:47 EDT
  510. Nmap scan report for 172.31.2.24
  511. Host is up (0.26s latency).
  512.  
  513. PORT STATE SERVICE VERSION
  514. 22/tcp closed ssh
  515. 80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
  516. 135/tcp closed msrpc
  517. 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
  518. 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
  519. Service Info: Host: CANYOUPWNME
  520.  
  521. Nmap scan report for 172.31.2.47
  522. Host is up (0.52s latency).
  523.  
  524. PORT STATE SERVICE VERSION
  525. 22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.4 (Ubuntu Linux; protocol 2.0)
  526. 80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
  527. 135/tcp closed msrpc
  528. 445/tcp closed microsoft-ds
  529. 8080/tcp closed http-proxy
  530. Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
  531.  
  532. Nmap scan report for 172.31.2.86
  533. Host is up (0.018s latency).
  534.  
  535. PORT STATE SERVICE VERSION
  536. 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
  537. 80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
  538. 135/tcp filtered msrpc
  539. 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
  540. 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
  541. Service Info: Host: SEDNA; OS: Linux; CPE: cpe:/o:linux:linux_kernel
  542.  
  543. Nmap scan report for 172.31.2.117
  544. Host is up (0.15s latency).
  545.  
  546. PORT STATE SERVICE VERSION
  547. 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
  548. 80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
  549. 135/tcp closed msrpc
  550. 445/tcp filtered microsoft-ds
  551. 8080/tcp filtered http-proxy
  552. Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
  553.  
  554. Nmap scan report for 172.31.2.181
  555. Host is up (0.26s latency).
  556.  
  557. PORT STATE SERVICE VERSION
  558. 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
  559. 80/tcp filtered http
  560. 135/tcp closed msrpc
  561. 445/tcp closed microsoft-ds
  562. 8080/tcp filtered http-proxy
  563. Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
  564.  
  565. Nmap scan report for 172.31.2.217
  566. Host is up (0.26s latency).
  567.  
  568. PORT STATE SERVICE VERSION
  569. 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
  570. 80/tcp open http nginx
  571. 135/tcp closed msrpc
  572. 445/tcp closed microsoft-ds
  573. 8080/tcp filtered http-proxy
  574. Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
  575.  
  576. Nmap scan report for 172.31.2.238
  577. Host is up (0.15s latency).
  578.  
  579. PORT STATE SERVICE VERSION
  580. 22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
  581. 80/tcp open http nginx 1.6.2
  582. 135/tcp closed msrpc
  583. 445/tcp filtered microsoft-ds
  584. 8080/tcp filtered http-proxy
  585. Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
  586.  
  587. Nmap scan report for 172.31.2.254
  588. Host is up (0.36s latency).
  589.  
  590. PORT STATE SERVICE VERSION
  591. 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
  592. 80/tcp closed http
  593. 135/tcp closed msrpc
  594. 445/tcp closed microsoft-ds
  595. 8080/tcp filtered http-proxy
  596. Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
  597.  
  598. Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  599. Nmap done: 8 IP addresses (8 hosts up) scanned in 10.69 seconds
  600. infosecaddicts@osboxes:~/toolz$
  601.  
  602.  
  603.  
  604. ##################################
  605. # Step 4: Vulnerability Research #
  606. ##################################
  607.  
  608. For each service version identified on each open port in the previous step please go to exploit-db.com/search and send me the links to the potential exploits you can use to attack these hosts.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement