Penetration Test Black Box type - exploitation phase
•
0 gostou•11 visualizações
The document aims to analyze the main phases of a penetration test starting from the information gathering phase up to having a shell on the target machine. The attacker machine is based on kali distribution.
Recomendados
Recomendados
Mais conteúdo relacionado
Semelhante a Penetration Test Black Box type - exploitation phase
Semelhante a Penetration Test Black Box type - exploitation phase (20)
Mais de luigi capuzzello
Último
Último (16)
Penetration Test Black Box type - exploitation phase
- 1. TCP/IP Penetration Test - Exploitation Page 1 / 184 Linkedin: https://www.linkedin.com/in/luigi-capuzzello/ Slideshare: http://www.slideshare.net/luigicapuzzello Twitter: @FisherKasparov Skype: luigi.capuzzello Summary: TCP/IP Penetration Test - Exploitation Description of the last modification: Insert description of the last modification here Issued by: Date LUIGI CAPUZZELLO 10/05/2022 TCP/IP Penetration Test - Exploitation
- 2. TCP/IP Penetration Test Page 2 / 184 Linkedin: https://www.linkedin.com/in/luigi-capuzzello/ Slideshare: http://www.slideshare.net/luigicapuzzello Twitter: @FisherKasparov Skype: luigi.capuzzello INDEX 1. LEGAL DISCLAIMER ................................................................................................................................................... 8 2. PENETRATION TEST PATH PHASES DESCRIPTION ...................................................................................................... 9 3. ETH-TCP/IP ATTACK PATH DESCRIPTION..................................................................................................................10 3.1. ATTACK PATH SHORT DESCRIPTION .................................................................................................................................. 12 4. GETTING COMFORTABLE WITH KALI LINUX..............................................................................................................13 4.1. TMUX....................................................................................................................................................................... 13 4.2. EDITOR VI ................................................................................................................................................................... 14 4.3. HOW TO INSTALL UPDATE A PROGRAM. ......................................................................................................................... 15 4.4. FIRST ACCESS TO KALI ................................................................................................................................................... 16 5. MANAGING KALI LINUX SERVICES............................................................................................................................18 5.1. SSH SERVICE............................................................................................................................................................... 18 How to activate SSH Server ............................................................................................................................. 18 Useful command.............................................................................................................................................. 19 5.2. HTTP SERVICE............................................................................................................................................................. 20 5.3. FTP SERVICE ............................................................................................................................................................... 20 5.4. TFTPD SERVICE........................................................................................................................................................... 21 5.5. SAMBA SERVICE......................................................................................................................................................... 21 5.6. VNC SERVICE.............................................................................................................................................................. 22 6. BASH: USEFUL COMMAND.......................................................................................................................................22 6.1. USERFUL COMMAND LIST ............................................................................................................................................... 22 6.2. GREP – AWK - SED.................................................................................................................................................... 25 6.3. COMM: FILE COMPARISON ........................................................................................................................................... 26 7. INFORMATION GATHERING.....................................................................................................................................26 7.1. INTERNAL NETWORK SCAN.............................................................................................................................................. 27 7.2. TARGET INFOS ............................................................................................................................................................. 27 7.3. OSSINT..................................................................................................................................................................... 28 7.4. DNS: DEFINE ATTACK SURFACE ....................................................................................................................................... 28 7.5. INFORMATION GATHERING FROM WEB: SHODAN - CENSYS ................................................................................................... 30 7.6. MALTEGO................................................................................................................................................................... 30 7.7. FACEBOOK .................................................................................................................................................................. 30 8. SERVICE INFORMATION GATHERING .......................................................................................................................32 8.1. NMAP........................................................................................................................................................................ 32 9. EXPLOITATION .........................................................................................................................................................34 9.1. EXPLOITATION WITH AUTOMATED TOOLS .......................................................................................................................... 34 nmap ............................................................................................................................................................... 34 Sites ................................................................................................................................................................. 35 Nessus.............................................................................................................................................................. 35 openVAS .......................................................................................................................................................... 36 Metasploit ....................................................................................................................................................... 38 Searchsploit / Metasploit: Vulnerabilità note ................................................................................................. 39 Metasploit: verifica exploit non funzionanti.................................................................................................... 39 Meterpreter..................................................................................................................................................... 39 Armitage: Metasploit Interface....................................................................................................................... 41 Nessus e Metasploit ...................................................................................................................................... 44
- 3. TCP/IP Penetration Test Page 3 / 184 Linkedin: https://www.linkedin.com/in/luigi-capuzzello/ Slideshare: http://www.slideshare.net/luigicapuzzello Twitter: @FisherKasparov Skype: luigi.capuzzello How to compile an exploit manually............................................................................................................. 45 9.2. [21] - FTP.................................................................................................................................................................. 46 Service Fingerprint........................................................................................................................................... 46 AuthN bypass: Anonymous Access .................................................................................................................. 46 AuthN bypass: Bruteforce................................................................................................................................ 46 Information Exposure ...................................................................................................................................... 46 Reverse Shell Activation .................................................................................................................................. 47 DOS.................................................................................................................................................................. 47 9.4. [22, 80, 445] - GIT..................................................................................................................................................... 48 AuthN bypass: Known Vuln ............................................................................................................................. 48 Information Exposure ...................................................................................................................................... 48 9.5. [22] - SSH ................................................................................................................................................................. 50 Service Fingerprint........................................................................................................................................... 50 AuthN Bypass: Connect through found key..................................................................................................... 50 AuthN bypass: Bruteforce................................................................................................................................ 50 AuthN bypass: Known Vuln ............................................................................................................................. 50 9.6. [22, 80, 443, 3690] - SVN.......................................................................................................................................... 52 AuthN bypass: Known Vuln ............................................................................................................................. 52 9.7. [23] - TELNET.............................................................................................................................................................. 52 AuthN bypass: Bruteforce................................................................................................................................ 52 9.8. [25] - SMTP .............................................................................................................................................................. 52 Service Fingerprint........................................................................................................................................... 52 AuthN bypass: Bruteforce................................................................................................................................ 52 Information Exposure ...................................................................................................................................... 53 Reverse Shell Activation .................................................................................................................................. 53 9.9. [50, 51, 500(UDP)] - IPSEC E VPN ................................................................................................................................ 54 AuthN bypass: Bruteforce................................................................................................................................ 54 9.10. [53] - DNS............................................................................................................................................................... 55 Service Fingerprint......................................................................................................................................... 55 Information Exposure.................................................................................................................................... 55 9.11. [69] – TFTP............................................................................................................................................................. 55 Service Fingerprint......................................................................................................................................... 55 9.12. [79] - FINGER............................................................................................................................................................ 56 Information Exposure.................................................................................................................................... 56 9.13. [80] - HTTP ............................................................................................................................................................. 56 9.14. [88] - KERBEROS........................................................................................................................................................ 57 Information Exposure.................................................................................................................................... 57 9.15. [110] – POP3.......................................................................................................................................................... 57 9.16. [111, 2049] – NFS / RPC ......................................................................................................................................... 58 Information Exposure.................................................................................................................................... 58 9.17. [123] - NTP............................................................................................................................................................. 59 Information Exposure.................................................................................................................................... 59 9.18. [143 / 993]: IMAP................................................................................................................................................... 59 Information Exposure.................................................................................................................................... 59 9.19. [161] - SNMP.......................................................................................................................................................... 60 Service Fingerprint......................................................................................................................................... 60 AuthN bypass: Bruteforce.............................................................................................................................. 60 Information Exposure.................................................................................................................................... 60 9.20. [389] AD................................................................................................................................................................. 61 Information Exposure.................................................................................................................................... 61 9.21. [389] LDAP............................................................................................................................................................. 62 Information Exposure.................................................................................................................................... 63 9.22. [443] - HTTPS ......................................................................................................................................................... 65 9.23. [443, 8443] - OPENVPN............................................................................................................................................ 66 AuthN bypass: Bruteforce.............................................................................................................................. 66
- 4. TCP/IP Penetration Test Page 4 / 184 Linkedin: https://www.linkedin.com/in/luigi-capuzzello/ Slideshare: http://www.slideshare.net/luigicapuzzello Twitter: @FisherKasparov Skype: luigi.capuzzello 9.24. [445] - SMB ............................................................................................................................................................ 67 Service Fingerprint......................................................................................................................................... 67 AuthN bypass: Bruteforce.............................................................................................................................. 67 Information Exposure.................................................................................................................................... 67 Reverse Shell Activation ................................................................................................................................ 75 9.25. [1433] - MSSQL...................................................................................................................................................... 78 Service Fingerprint......................................................................................................................................... 78 authN bypass: bruteforce.............................................................................................................................. 78 Information Exposure.................................................................................................................................... 78 Reverse Shell Activation ................................................................................................................................ 79 9.26. [1521] - ORACLE..................................................................................................................................................... 80 Information Exposure: msfconsole ................................................................................................................ 80 Information Exposure: ODAT......................................................................................................................... 80 Reverse Shell Activation ................................................................................................................................ 83 9.27. [3128] - SQUID ......................................................................................................................................................... 87 Reverse Shell Activation ................................................................................................................................ 87 9.28. [3260] - ISCSI.......................................................................................................................................................... 88 Information Exposure.................................................................................................................................... 88 9.29. [3306] – MYSQL / MARIADB..................................................................................................................................... 89 Service Fingerprint......................................................................................................................................... 89 AuthN bypass: Anonymous Access ................................................................................................................ 89 AuthN bypass: Bruteforce.............................................................................................................................. 89 Information Exposure.................................................................................................................................... 89 Reverse Shell Activation: con searchexploit .................................................................................................. 90 Reverse Shell Activation: con UDF exploitation............................................................................................. 90 9.30. [3389] - RDP........................................................................................................................................................... 92 Service Fingerprint......................................................................................................................................... 92 AuthN bypass: Bruteforce.............................................................................................................................. 92 9.31. [5900] - VNC........................................................................................................................................................... 93 Service Fingerprint......................................................................................................................................... 93 AuthN bypass: Bruteforce.............................................................................................................................. 93 9.32. [5985] – WINRM ..................................................................................................................................................... 93 Reverse Shell Activation ................................................................................................................................ 93 9.33. [6379]: REDIS......................................................................................................................................................... 94 Information Exposure.................................................................................................................................... 94 Reverse Shell Activation ................................................................................................................................ 94 PostExploitation: write file (SSH / HTTP / CRONTAB) .................................................................................... 95 9.34. [8000] JDWP: JAVA DEBUGGING PORT ........................................................................................................................ 97 Reverse Shell Activation ................................................................................................................................ 97 9.35. [8000] - AJENTI ........................................................................................................................................................ 97 Reverse Shell Activation ................................................................................................................................ 97 9.36. [8080] TOMCAT ..................................................................................................................................................... 98 Reverse Shell Activation ................................................................................................................................ 98 AuthN bypass ................................................................................................................................................ 98 Reverse Shell Activation ................................................................................................................................ 98 9.37. [9200] - ELASTICSEARCH. ........................................................................................................................................... 99 Service Fingerprint......................................................................................................................................... 99 Information Exposure.................................................................................................................................... 99 9.39. [10000] - WEBMIN.................................................................................................................................................101 Reverse Shell Activation: con meterpreter (possibili crdenziali necessarie) ................................................101 Reverse Shell Activation: manualmente (senza credenziali) .......................................................................102 9.40. [11211] - MEMCACHED............................................................................................................................................102 Information Exposure..................................................................................................................................102 9.41. [27017] - MONGODB .............................................................................................................................................104 Service Fingerprint.......................................................................................................................................104
- 5. TCP/IP Penetration Test Page 5 / 184 Linkedin: https://www.linkedin.com/in/luigi-capuzzello/ Slideshare: http://www.slideshare.net/luigicapuzzello Twitter: @FisherKasparov Skype: luigi.capuzzello AuthN bypass: Bruteforce............................................................................................................................104 Information Exposure..................................................................................................................................104 10. MODULE: CREATE A REVERSE SHELL ....................................................................................................................106 10.1. ![WINDOWS] BY MEANF OF SETOOLKIT .........................................................................................................................106 10.2. MANUALLY..............................................................................................................................................................107 [windows]: reverse shell ..............................................................................................................................107 [windows]: reverse shell ..............................................................................................................................108 [windows]: execute command.....................................................................................................................109 10.3. BY MEANS OF TOOL: NETCAT, SOCAT, NC .......................................................................................................................109 [Windows-Linux] Netcat..............................................................................................................................109 socat............................................................................................................................................................110 NCat.............................................................................................................................................................110 10.4. BY MEANS OF MSFVENOM: EXE, ELF, PHP, ASP, JSP, WAR..................................................................................................110 [Windows]: reverse shell/ bind shell / execute command / embedded execution ......................................110 [Windows] Reverse shell nishang ................................................................................................................111 [Linux]: reverse shell / bind shell .................................................................................................................111 [Linux] PHP: reverse shell ............................................................................................................................112 [Windows] ASP/ASPX: reverse shell.............................................................................................................112 WAR: reverse shell.......................................................................................................................................112 JSP: reverse shell..........................................................................................................................................112 10.5. BY MEANS OF SCRIPTING LANGUAGE: BASH, PERL, PYTHON, PHP, POWERSHELL ....................................................................112 [Linux] bash .................................................................................................................................................113 [Linux] Perl...................................................................................................................................................113 [Linux] python..............................................................................................................................................113 [Linux] PHP ..................................................................................................................................................113 [Windows] Powershell.................................................................................................................................113 10.7. AV EVASION ...........................................................................................................................................................114 ![windows] msfvenom -> doubled enc.........................................................................................................114 manually......................................................................................................................................................117 by means of Shellter ....................................................................................................................................119 by means of mimikatz .................................................................................................................................120 11. MODULE SCRIPTING: USEFUL SCRIPT ...................................................................................................................127 11.1. JAVASCRIPT: IMPLEMENT POST ..................................................................................................................................127 11.2. LUA: READ / WRITE FILE............................................................................................................................................127 11.3. LUA: EXECUTE COMMAND.........................................................................................................................................128 11.4. PYTHON: BRUTEFORCE SOCKET TCP/UDP READING DATA FROM A FILE ..............................................................................128 11.5. PYTHON: BRUTEFORCE SOCKET ...................................................................................................................................129 11.6. PYTHON: READ DATA FROM MYSQL..............................................................................................................................129 11.7. PYTHON: TAKE DATA FROM A WEB PAGE, PROCESS IT AND SEND RESULT VIA POST ...............................................................130 11.8. PYTHON: BRUTEFORCE BY MEANS OF ANTI-CSRF ...........................................................................................................131 11.9. PYTHON: BRUTEFORCE SMTP....................................................................................................................................132 11.10. PYTHON: CRACK ENCRYPTED INFO KWOWING ALGORITHM WITH BRUTE FORCE ..................................................................134 11.11. PYTHON: CRACK ENCRYPTED INFO KWOWING ALGORITHM WITH DICTIONARY ...................................................................134 11.12. PYTHON: LFI.........................................................................................................................................................135 11.13. PHP: CRACK SALTED HASH PASSWORD......................................................................................................................136 12. MODULE: BRUTE FORCE.......................................................................................................................................137 13. MODULE: PASSWORD CRACKING.........................................................................................................................137 13.1. TOOLS..................................................................................................................................................................137 hashcat........................................................................................................................................................137 John The Ripper ...........................................................................................................................................137 hydra ...........................................................................................................................................................138
- 6. TCP/IP Penetration Test Page 6 / 184 Linkedin: https://www.linkedin.com/in/luigi-capuzzello/ Slideshare: http://www.slideshare.net/luigicapuzzello Twitter: @FisherKasparov Skype: luigi.capuzzello 13.2. DICTIONARY.........................................................................................................................................................139 Ready to use ................................................................................................................................................139 Ready to use with HASH ..............................................................................................................................139 create one with john....................................................................................................................................139 create one manually....................................................................................................................................140 13.3. CRACK PASSWORD ON-LINE.......................................................................................................................................141 online Site....................................................................................................................................................141 13.4. CRACK PASSWORD OFF-LINE......................................................................................................................................141 Python: Crack Salted Hash Password ..........................................................................................................141 .htpasswd ....................................................................................................................................................142 Cisco Password Type 5, 7.............................................................................................................................142 Crack: Mozilla profile .default .....................................................................................................................143 Crack Groups.xml.........................................................................................................................................143 Hash Generici: John .....................................................................................................................................143 Hash Generici: rcrack...................................................................................................................................145 Hash Generici: RAINBOW TABLE .................................................................................................................145 Hash Generici: ophcrack..............................................................................................................................145 Crack Linux password ................................................................................................................................146 Crack: LUKS file..........................................................................................................................................146 JWT firma: hashcat....................................................................................................................................147 .KIRBI (Kerberos Token) .............................................................................................................................147 MD5: hashcat ............................................................................................................................................148 PKI: private key with password .................................................................................................................148 VNC............................................................................................................................................................149 Windows Password Hash Cracking............................................................................................................153 Windows Password: john ..........................................................................................................................162 Windows: .dit e .bin...................................................................................................................................163 WPA/WPA2: hashcat.................................................................................................................................164 WPA/WPA2: pyrit......................................................................................................................................164 WPA/WPA2: aircrack / john ......................................................................................................................165 ZIP..............................................................................................................................................................166 14. IPV6 .....................................................................................................................................................................166 14.1. NOTATIONS.............................................................................................................................................................166 14.2. TYPES OF ADDRESSING ..............................................................................................................................................166 14.3. SPECIAL ADDESSING..................................................................................................................................................169 14.4. IPV6: ATTACK MANUALLY..........................................................................................................................................169 80: http....................................................................................................................................................................170 14.5. IPV6: ATTACK WITH ALIVE6 .......................................................................................................................................170 14.6. LOOKING AROUND ...................................................................................................................................................171 14.7. SETTING A GLOBAL ADDRESS ......................................................................................................................................171 14.8. IPV6 AND METASPLOIT .............................................................................................................................................172 14.9. SETTINGS AN IPV6 TUNNEL........................................................................................................................................175 15. APPENDIX: BECOME SILENT. ................................................................................................................................177 15.1. IPTABLES.................................................................................................................................................................177 15.2. TORTUNNEL - PROXYCHAINS........................................................................................................................................177 15.3. PROXYCHAIN...........................................................................................................................................................178 15.4. TOR......................................................................................................................................................................178 16. APPENDIX: CLEAN TRACES. ..................................................................................................................................180 17. APPENDIX: BASH SCRIPTING ................................................................................................................................180 17.1. VARIABLE................................................................................................................................................................180 17.2. FUNCTION ARGOMENT ..............................................................................................................................................180
- 7. TCP/IP Penetration Test Page 7 / 184 Linkedin: https://www.linkedin.com/in/luigi-capuzzello/ Slideshare: http://www.slideshare.net/luigicapuzzello Twitter: @FisherKasparov Skype: luigi.capuzzello 17.3. READ USER INPUT.....................................................................................................................................................180 17.4. IF / ELSE STATEMENT...............................................................................................................................................181 17.5. CICLO FOR .............................................................................................................................................................181 17.6. CICLO WHILE..........................................................................................................................................................182 17.7. FUNCTION ...........................................................................................................................................................182 18. APPENDIX: DOCKER .............................................................................................................................................183
- 8. TCP/IP Penetration Test Page 8 / 184 Linkedin: https://www.linkedin.com/in/luigi-capuzzello/ Slideshare: http://www.slideshare.net/luigicapuzzello Twitter: @FisherKasparov Skype: luigi.capuzzello 1. LEGAL DISCLAIMER Usage of this document for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Author assume no liability and are not responsible for any misuse or damage caused by this docuemnt.