Network Penetration Testing Basics

1. Step 1: Download Nmap
2. --------------------
3. Windows: https://nmap.org/dist/nmap-7.70-setup.exe
4. Mac OS X: https://nmap.org/dist/nmap-7.70.dmg
5.  
6. Linux:
7. --- Fedora/CentOS/RHEL: sudo yum install -y nmap
8. --- Ubuntu/Mint/Debian: sudo apt-get install -y nmap
9.  
10.  
11.  
12. ########################
13. # Scanning Methodology #
14. ########################
15.  
16. - Ping Sweep
17. What's alive?
18. ------------
19. Note: On windows you won't need to use the word "sudo" in front of the command below:
20.  
21. ---------------------------On Linux or Mac OS X type This-----------------------------------
22. sudo nmap -sP 157.166.226.*
23.  
24. ---------------------------or on Windows type:---------------------------------------------
25. c:\nmap -sP 157.166.226.*
26.  
27. --------------------------------------------------------------------------------------------
28.  
29.  
30.  
31. -if -SP yields no results try:
32. Note: On windows you won't need to use the word "sudo" in front of the command below:
33. ---------------------------On Linux or Mac OS X type This-----------------------------------
34. sudo nmap -sL 157.166.226.*
35.  
36. ---------------------------or on Windows type:---------------------------------------------
37. c:\nmap -sL 157.166.226.*
38.  
39. ------------------------------------------------------------------------------------------
40.  
41.  
42.  
43. -Look for hostnames:
44. Note: On windows you won't need to use the word "sudo" in front of the command below:
45. ---------------------------On Linux or Mac OS X type This-----------------------------------
46. sudo nmap -sL 157.166.226.* | grep com
47.  
48. ---------------------------or on Windows type:---------------------------------------------
49. c:\nmap -sP 157.166.226.* | findstr "cnn"
50.  
51. -------------------------------------------------------------------------------------------
52.  
53.  
54.  
55. - Port Scan
56. What's where?
57. ------------
58. Note: On windows you won't need to use the word "sudo" in front of the command below:
59. ---------------------------On Linux or Mac OS X type This-----------------------------------
60. sudo nmap -sS 162.243.126.247
61.  
62. ---------------------------or on Windows type:----------------------------------------------
63. c:\nmap -sS 162.243.126.247
64.  
65. --------------------------------------------------------------------------------------------
66.  
67.  
68.  
69. - Bannergrab/Version Query
70. What versions of software are running
71. -------------------------------------
72. Note: On windows you won't need to use the word "sudo" in front of the command below:
73. ---------------------------On Linux or Mac OS X type This-----------------------------------
74. sudo nmap -sV 162.243.126.247
75.  
76. ---------------------------or on Windows type:---------------------------------------------
77. c:\nmap -sV 162.243.126.247
78. -------------------------------------------------------------------------------------------
79.  
80.  
81.  
82. Let's dig into this a little bit more:
83. -------------------------------------
84. Note: On windows you won't need to use the word "sudo" in front of the command below:
85. ---------------------------On Linux or Mac OS X type This-----------------------------------
86. sudo nmap -sV --script=http-headers 162.243.126.247 -p 80,443
87.  
88. ---------------------------or on Windows type:---------------------------------------------
89. c:\nmap -sV --script=http-headers 162.243.126.247 -p 80,443
90. -------------------------------------------------------------------------------------------
91.  
92.  
93.  
94. - Vulnerability Research
95. Lookup the banner versions for public exploits
96. ----------------------------------------------
97. http://exploit-db.com
98. http://securityfocus.com/bid
99. https://packetstormsecurity.com/files/tags/exploit/
100.  
101. ---------------------------------------------------------------------------------------------------------------------------------
102. The purpose of this class is to help students learn how to address the common issues in Hacking Challenge Lab courses.
103.  
104.  
105.  
106.  
107. ##############################################################################################################
108. # Preparing for challenge lab exams like OSCP, and also how to play in network attack style CTF competitions #
109. ##############################################################################################################
110.  
111. Issue 1. Lack of a thorough attack process
112. ==========================================
113. - Host discovery
114. - Service discovery
115. - Service version discovery
116. - Vulnerability research
117. - Linux (port 111)/Window (port 445) Enumeration
118. - Webserver vulnerability scan
119. - Directory brute force every webserver
120. - Analyze source code of every web app (look for IPs, usernames/passwords, explanations of how stuff works)
121. - Brute force all services
122.  
123.  
124. Issue 2. Lack of automation of the process
125. ==========================================
126. - Research attacks scripts on the internet to enhance your methodology
127.  
128.  
129. Issue 3. Failing to document all steps being performed and their output
130. =======================================================================
131.  
132.  
133. Issue 4. Lack of sleep during the exam
134. ======================================
135.  
136.  
137. Issue 5. Failing to reboot target machines prior to attack
138. ==========================================================
139.  
140.  
141.  
142. --------------------------------------------------------------------------------------------------------------
143.  
144.  
145. A good strategy to use to prepare would be:
146.  
147. Step 1. Ensure that you are comfortable with Linux
148. --------------------------------------------------
149. - LinuxSurvival.com (you should be able to comfortably pass all 4 quizzes)
150. - Comptia Linux+ (You should be just a hair under a Linux system administrator in skill level, simple shell scripting, and well beyond a Linux user skill level)
151.  
152. You should be very comfortable with the material covered in the videos below (Go through all of them twice if you are new to Linux):
153. https://www.youtube.com/playlist?list=PLCDA423AB5CEC8FDB
154. https://www.youtube.com/playlist?list=PLtK75qxsQaMLZSo7KL-PmiRarU7hrpnwK
155. https://www.youtube.com/playlist?list=PLcUid3OP_4OXOUqYTDGjq-iEwtBf-3l2E
156.  
157.  
158.  
159. 2. You should be comfortable with the following tools:
160. ------------------------------------------------------
161.  
162. Nmap:
163. https://www.youtube.com/playlist?list=PL6gx4Cwl9DGBsINfLVidNVaZ-7_v1NJIo
164.  
165. Metasploit:
166. https://www.youtube.com/playlist?list=PL6gx4Cwl9DGBmwvjJoWhM4Lg5MceSbsja
167.  
168. Burp Suite:
169. https://www.youtube.com/playlist?list=PLv95pq8fEyuivHeZB2jeC435tU3_1YGzV
170.  
171. Sqlmap:
172. https://www.youtube.com/playlist?list=PLA3E1E7A07FD60C75
173.  
174. Nikto:
175. https://www.youtube.com/watch?v=GH9qn_DBzCk
176.  
177. Enum4Linux:
178. https://www.youtube.com/watch?v=hA5raaGOQKQ
179.  
180. RPCINFO/SHOWMOUNT:
181. https://www.youtube.com/watch?v=FlRAA-1UXWQ
182.  
183. Hydra:
184. https://www.youtube.com/watch?v=rLtj8tEmGso
185.  
186.  
187.  
188. 3. You need to comfortable with basic exploit development
189. ---------------------------------------------------------
190.  
191. Basic assembly:
192. https://www.youtube.com/playlist?list=PLue5IPmkmZ-P1pDbF3vSQtuNquX0SZHpB
193.  
194. Basic exploit development (first 5 videos in the playlist):
195. https://www.youtube.com/playlist?list=PLWpmLW-3AVsjcz_VJFvofmIFVTk7T-Ukl
196.  
197.  
198. 4. You need to be comfortable with privilege escalation
199. -------------------------------------------------------
200. Linux
201. https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
202.  
203. Windows
204. https://www.sploitspren.com/2018-01-26-Windows-Privilege-Escalation-Guide/
205. http://www.fuzzysecurity.com/tutorials/16.html
206.  
207. ----------------------------------------------------------------------------------------------------------------------------------
208.  
209.  
210.  
211.  
212.  
213.  
214. #############################
215. # Playing around in the lab #
216. #############################
217.  
218.  
219.  
220. Some tools to install:
221. ---------------------------Type This-----------------------------------
222. wget --no-check-certificate https://dl.packetstormsecurity.net/UNIX/scanners/propecia.c
223. gcc propecia.c -o propecia
224. sudo cp propecia /bin
225. -----------------------------------------------------------------------
226.  
227.  
228.  
229.  
230. ##############################
231. # Scanning Process to follow #
232. ##############################
233.  
234. Step 1: Host Discovery
235. ----------------------
236.  
237. ---------------------------Type This-----------------------------------
238. nmap -sP 172.31.2.0/24
239.  
240. nmap -sL 172.31.2.0/24
241.  
242. nmap -sS --open -p 22,445 172.31.2.0/24
243.  
244. propecia 172.31.2 22 > file1
245. propecia 172.31.2 445 > file2
246. cat file1 file2 > file3
247. cat file3 | sort -t . -k 3,3n -k 4,4n | uniq > lab.txt
248. cat lab.txt
249. -----------------------------------------------------------------------
250.  
251.  
252. Step 2: Port Scan
253. -----------------
254. nmap -sS <IP-ADDRESS>
255. nmap -sU -p 69,161 <IP-ADDRESS>
256.  
257.  
258. ---------------------------Type This-----------------------------------
259. sudo nmap -sS 172.31.2.0/24
260. sudo nmap -sU -p 69,161 172.31.2.0/24
261. -----------------------------------------------------------------------
262.  
263.  
264. Step 3: Bannergrab
265. ------------------
266. nmap -sV <IP-ADDRESS>
267. nmap -sV -p- <IP-ADDRESS>
268. |
269. ----> Vulnerability Research
270.  
271. ---------------------------Type This-----------------------------------
272. sudo nmap -sV 172.31.2.0/24
273. -----------------------------------------------------------------------
274.  
275.  
276.  
277.  
278. Step 4: Enumerate common Windows/Linux file sharing services
279. Step 3 is where most people STOP, and you need to move on and look deeper
280. ------------------------------------------------------------
281.  
282. ---------------------------Type This-----------------------------------
283. sudo apt install smbclient libnss-winbind winbind
284. git clone https://github.com/portcullislabs/enum4linux.git
285. cd enum4linux/
286. perl enum4linux.pl -U 172.31.2.11
287.  
288. nmap -Pn -n --open -p111 --script=nfs-ls,nfs-showmount,nfs-statfs,rpcinfo 172.31.2.86
289. ---------------------------------------------------------------------------------------
290.  
291.  
292.  
293. Step 5: Vulnerability Scan the webservers
294. -----------------------------------------
295. git clone https://github.com/sullo/nikto.git Nikto2
296.  
297. cd Nikto2/program
298.  
299. perl nikto.pl -h <IP-ADDRESS>
300.  
301.  
302.  
303. Step 6: Directory Bruteforce every webserver
304. --------------------------------------------
305. sudo apt install -y libcurl4-openssl-dev
306.  
307. git clone https://github.com/v0re/dirb.git
308.  
309. cd dirb/
310.  
311. ./configure
312.  
313. make
314.  
315. ./dirb
316.  
317. ./dirb http://<IP-ADDRESS> wordlists/big.txt
318.  
319.  
320.  
321.  
322.  
323. Step 7: Analyze source code of all webpages found
324. -------------------------------------------------
325. lynx -dump "http://<IP-ADDRESS>" | grep -o "http:.*" > links
326.  
327. If you ever need to download an entire Web site, perhaps for off-line viewing, wget can do the job—for example:
328.  
329. $ wget \
330. --recursive \
331. --no-clobber \
332. --page-requisites \
333. --html-extension \
334. --convert-links \
335. --restrict-file-names=windows \
336. --domains website.org \
337. --no-parent \
338. www.website.org/tutorials/html/
339.  
340.  
341. This command downloads the Web site www.website.org/tutorials/html/.
342.  
343. The options are:
344.  
345. --recursive: download the entire Web site.
346.  
347. --domains website.org: don't follow links outside website.org.
348.  
349. --no-parent: don't follow links outside the directory tutorials/html/.
350.  
351. --page-requisites: get all the elements that compose the page (images, CSS and so on).
352.  
353. --html-extension: save files with the .html extension.
354.  
355. --convert-links: convert links so that they work locally, off-line.
356.  
357. --restrict-file-names=windows: modify filenames so that they will work in Windows as well.
358.  
359. --no-clobber: don't overwrite any existing files (used in case the download is interrupted and resumed).
360.  
361.  
362.  
363. Step 8: Bruteforce any services you find
364. ----------------------------------------
365. sudo apt install -y zlib1g-dev libssl-dev libidn11-dev libcurses-ocaml-dev libpcre3-dev libpq-dev libsvn-dev libssh-dev libmysqlclient-dev libpq-dev libsvn-devcd ~/toolz
366. git clone https://github.com/vanhauser-thc/thc-hydra.git
367. cd thc-hydra
368. ./configure
369. make
370. hydra -L username.txt -P passlist.txt ftp://<IP-ADDRESS
371. hydra -l user -P passlist.txt ftp://<IP-ADDRESS
372.  
373.  
374.  
375. ##########################
376. # Step 1: Host Discovery #
377. ##########################
378.  
379. Reason:
380. -------
381. You have to discover the reachable hosts in the network before you can attack them.
382.  
383.  
384. Hosts discovery syntax:
385. -----------------------
386. nmap -sP 172.31.2.0/24
387. propecia 172.31.2 22 > file1
388. propecia 172.31.2 445 > file2
389. cat file1 file2 > file3
390. cat file3 | sort -t . -k 3,3n -k 4,4n | uniq > lab.txt
391. cat lab.txt
392.  
393. Issues:
394. -------
395. Issue we had to deal with was hosts that didn't respond to ICMP
396.  
397.  
398.  
399.  
400.  
401. Hosts discovered:
402. -----------------
403. 172.31.2.24
404. 172.31.2.47
405. 172.31.2.86
406. 172.31.2.117
407. 172.31.2.181
408. 172.31.2.217
409. 172.31.2.238
410. 172.31.2.254
411.  
412.  
413.  
414.  
415. #############################
416. # Step 2: Service Discovery #
417. #############################
418.  
419. sudo nmap -sS -p 22,135,80,445,8080 -iL lab.txt
420. Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-17 19:46 EDT
421. Nmap scan report for 172.31.2.24
422. Host is up (0.42s latency).
423.  
424. PORT STATE SERVICE
425. 22/tcp closed ssh
426. 80/tcp open http
427. 135/tcp closed msrpc
428. 445/tcp open microsoft-ds
429. 8080/tcp open http-proxy
430.  
431. Nmap scan report for 172.31.2.47
432. Host is up (0.52s latency).
433.  
434. PORT STATE SERVICE
435. 22/tcp open ssh
436. 80/tcp open http
437. 135/tcp closed msrpc
438. 445/tcp closed microsoft-ds
439. 8080/tcp closed http-proxy
440.  
441. Nmap scan report for 172.31.2.86
442. Host is up (0.13s latency).
443.  
444. PORT STATE SERVICE
445. 22/tcp open ssh
446. 80/tcp open http
447. 135/tcp closed msrpc
448. 445/tcp open microsoft-ds
449. 8080/tcp open http-proxy
450.  
451. Nmap scan report for 172.31.2.117
452. Host is up (0.57s latency).
453.  
454. PORT STATE SERVICE
455. 22/tcp open ssh
456. 80/tcp open http
457. 135/tcp closed msrpc
458. 445/tcp closed microsoft-ds
459. 8080/tcp closed http-proxy
460.  
461. Nmap scan report for 172.31.2.181
462. Host is up (0.69s latency).
463.  
464. PORT STATE SERVICE
465. 22/tcp open ssh
466. 80/tcp closed http
467. 135/tcp closed msrpc
468. 445/tcp closed microsoft-ds
469. 8080/tcp closed http-proxy
470.  
471. Nmap scan report for 172.31.2.217
472. Host is up (0.26s latency).
473.  
474. PORT STATE SERVICE
475. 22/tcp open ssh
476. 80/tcp open http
477. 135/tcp filtered msrpc
478. 445/tcp closed microsoft-ds
479. 8080/tcp closed http-proxy
480.  
481. Nmap scan report for 172.31.2.238
482. Host is up (0.57s latency).
483.  
484. PORT STATE SERVICE
485. 22/tcp open ssh
486. 80/tcp open http
487. 135/tcp closed msrpc
488. 445/tcp closed microsoft-ds
489. 8080/tcp closed http-proxy
490.  
491. Nmap scan report for 172.31.2.254
492. Host is up (0.68s latency).
493.  
494. PORT STATE SERVICE
495. 22/tcp open ssh
496. 80/tcp closed http
497. 135/tcp closed msrpc
498. 445/tcp closed microsoft-ds
499. 8080/tcp closed http-proxy
500.  
501. Nmap done: 8 IP addresses (8 hosts up) scanned in 3.76 seconds
502. infosecaddicts@osboxes:~/toolz$
503.  
504.  
505. #####################################
506. # Step 3: Service Version Discovery #
507. #####################################
508. infosecaddicts@osboxes:~/toolz$ sudo nmap -sV -p 22,135,80,445,8080 -iL lab.txt
509. Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-17 19:47 EDT
510. Nmap scan report for 172.31.2.24
511. Host is up (0.26s latency).
512.  
513. PORT STATE SERVICE VERSION
514. 22/tcp closed ssh
515. 80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
516. 135/tcp closed msrpc
517. 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
518. 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
519. Service Info: Host: CANYOUPWNME
520.  
521. Nmap scan report for 172.31.2.47
522. Host is up (0.52s latency).
523.  
524. PORT STATE SERVICE VERSION
525. 22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.4 (Ubuntu Linux; protocol 2.0)
526. 80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
527. 135/tcp closed msrpc
528. 445/tcp closed microsoft-ds
529. 8080/tcp closed http-proxy
530. Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
531.  
532. Nmap scan report for 172.31.2.86
533. Host is up (0.018s latency).
534.  
535. PORT STATE SERVICE VERSION
536. 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
537. 80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
538. 135/tcp filtered msrpc
539. 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
540. 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
541. Service Info: Host: SEDNA; OS: Linux; CPE: cpe:/o:linux:linux_kernel
542.  
543. Nmap scan report for 172.31.2.117
544. Host is up (0.15s latency).
545.  
546. PORT STATE SERVICE VERSION
547. 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
548. 80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
549. 135/tcp closed msrpc
550. 445/tcp filtered microsoft-ds
551. 8080/tcp filtered http-proxy
552. Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
553.  
554. Nmap scan report for 172.31.2.181
555. Host is up (0.26s latency).
556.  
557. PORT STATE SERVICE VERSION
558. 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
559. 80/tcp filtered http
560. 135/tcp closed msrpc
561. 445/tcp closed microsoft-ds
562. 8080/tcp filtered http-proxy
563. Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
564.  
565. Nmap scan report for 172.31.2.217
566. Host is up (0.26s latency).
567.  
568. PORT STATE SERVICE VERSION
569. 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
570. 80/tcp open http nginx
571. 135/tcp closed msrpc
572. 445/tcp closed microsoft-ds
573. 8080/tcp filtered http-proxy
574. Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
575.  
576. Nmap scan report for 172.31.2.238
577. Host is up (0.15s latency).
578.  
579. PORT STATE SERVICE VERSION
580. 22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
581. 80/tcp open http nginx 1.6.2
582. 135/tcp closed msrpc
583. 445/tcp filtered microsoft-ds
584. 8080/tcp filtered http-proxy
585. Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
586.  
587. Nmap scan report for 172.31.2.254
588. Host is up (0.36s latency).
589.  
590. PORT STATE SERVICE VERSION
591. 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
592. 80/tcp closed http
593. 135/tcp closed msrpc
594. 445/tcp closed microsoft-ds
595. 8080/tcp filtered http-proxy
596. Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
597.  
598. Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
599. Nmap done: 8 IP addresses (8 hosts up) scanned in 10.69 seconds
600. infosecaddicts@osboxes:~/toolz$
601.  
602.  
603.  
604. ##################################
605. # Step 4: Vulnerability Research #
606. ##################################
607.  
608. For each service version identified on each open port in the previous step please go to exploit-db.com/search and send me the links to the potential exploits you can use to attack these hosts.