Covering a broad Spectrum of Pentesting

Covering a broad Spectrum of Pentesting

Table of Contents

  1. Initial Scanning
  2. Port/Service Enumeration
  3. Port 21 — FTP
  4. Port 22 — SSH
  5. Port 25/110/143 — SMTP/POP3/IMAP
  6. Port 53 — DNS
  7. Port 80/443 — HTTP/S
  8. Port 139/445 — SMB/SAMBA
  9. Port 389/636 — LDAP/S
  10. Port 3306 — MySQL
  11. Port 3389 — RDP
  12. Shells
  13. File Transfers
  14. Privilege Escalation

Initial Scanning

The initial scanning phase is probably the most crucial aspect of pentesting. The more info you can pull from this phase, the more you have to work with. You want to identify all open ports, what services/versions these ports are running, what OS the box is running, and if possible identify how old the OS is. Sometimes you can get lucky and the nmap scan will indicate that it may be an older Windows OS, something that could be vulnerable to ETERNALBLUE/ETERNALROMANCE, etc.

NMAP Scanning

Initial Scan:

Full TCP Scan:

Run the first scan again with “-p <additionally discovered ports>”

Vuln scan on all discovered ports:

UDP Scan:

Full UDP Scan:

If nmap scanning reveals open ports but not services/versions try banner grabbing:

Port/Service Enumeration

This phase is where we’re going to pull as much data/information as we can from each service/port. Some may contain sensitive files that reveal users, configurations, maybe creds, maybe OS versions, maybe it’ll reveal additionally installed software that may be exploitable later, maybe it can help get us remote access to the box, maybe there are exploits/vulnerabilities for the service version, etc..

Once you’ve run your nmap scans and got the services/versions use searchsploit or Google to find vulnerabilities/exploits:

If you find one you like (i.e. 12345.php) use searchsploit to copy it to your present working directory (PWD)

…OR…

Google “<service/version> exploit”. Try to find one on Exploit Database (EDB), these are usually pretty reliable. Also, a lot of these vulnerabilities have been exploited in previous CTFs/HTB, so I like to add “HTB” to the end of the Google search and see if I can find an example of someone exploiting it.

If there are no exploits for the services you find, it’s time to enumerate them. I’ve included a few of the most common ones I come across in CTFs below. Anything you need further help with just do a quick Google search “pentesting <xyz port/service>”. 9 times out of 10, I’ll go with whatever pops up in hacktricks: https://book.hacktricks.xyz/welcome/readme

Port 21 — FTP

File Transfer Protocol (FTP) is essentially a database/server that stores files. A successfully authenticated user can add, delete, or pull files to/from the server depending on their permissions.

FTP is notorious for their anonymous login capability, if anonymous login is allowed the creds will usually be “anonymous / anonymous@anonymous.com”

Log into FTP:

If successful, hop around the directories and see what files you can find. You can download them like “mget <filename>”. Test upload functionality in each directory as well “mput <filename>”. I’ve come across a situation in the past where the FTP server was the root of the web server, so I was able to upload a reverse shell to the FTP server and execute it by navigating to it on the website.

If you find creds later on, come back and try them on the FTP server. It may reveal files/dirs you didn’t previously have access to.

Port 22 — SSH

Secure Shell (SSH) is a method of establishing a shell connection to a remote host. You can use creds or an SSH key.

Start SSH Session:

If you find a user’s private key (usually called id_rsa inside their .ssh directory) in their home directory or somewhere else on the box copy it to your attack box and you can use it to authenticate via SSH.

As a last resort, you can try brute forcing your way in if you have a known user (root will pretty much always be a legit user):

Port 25/110/143 — SMTP/POP3/IMAP

I’m not going to provide my methodology for these ports because 9/10 times if these ports are crucial to exploitation in a CTF (and the version isn’t immediately exploitable — like one of the JAMES servers) then chances are you need to find a user’s creds somewhere and you’ll use these ports to login to their email client and read their emails.

Hacktricks has some good enumeration techniques for these ports, check it out if you need.

Port 53 — DNS

Domain Name System translates IPs to hostnames/domain names so you don’t need to type IP’s into your browser.

Once you discover a hostname/domain name, add it to your hosts file (remove the spaces in the file path, Medium doesn’t let me type that file path for some reason):

Zone Transfers:

Grab any info from records:

nslookup:

Port 80/443 — HTTP/S

These are arguably the most critical ones to enumerate (but also sometimes the hardest). Chances are if there’s a web server, it’s going to be your entry point into the system. There may be numerous web servers to throw you off, but it’ll be one of them, or they may need to be chained together. Way too much goes into web app pentesting, so I’m just giving my basic little checklist of things to do before I have to get crazy with BurpSuite.

Use nikto to enumerate the server’s architecture and run some basic checks to see if there are any files/directories/high-level vulnerabilities that really stand out:

Directory brute forcing. I like to use dirbuster because I’m not too proud to use the GUI, but here are some gobuster commands I’ll use if dirbuster doesn’t give me much:

Dirbuster is super simple though. Just enter the URL, choose a wordlist, increase the threads, run it.

Always check for /robots.txt, this will give you some “hidden” directories (dirs that the site doesn’t want web spiders to find). Check out the dirs in that file if it exists, might even need to re-run your directory brute force setting those dirs as your web root.

Always check every page source for possible developer comments or references to files/directories you may not have found previously. Also could help you enumerate API/framework versions and other software/versions on the site.

If it’s using a Content Management System (CMS) try to get the name/version. Google vulnerabilities/exploits for it, or default creds. May need to reconfigure the exploit and tailor it to whatever directory the CMS is running out of.

If you can’t find creds, try SQL Injection: https://pentestlab.blog/2012/12/24/sql-injection-authentication-bypass-cheat-sheet/

If you’re at the end of the road and literally can’t find anything, try to brute force the login form using hydra. You’ll have to Google specific tutorials for it, it’s highly dependent on the application.

If you’re not taking your OSCP exam try using SQLmap. It could help bypass login, or could help pull other sensitive data that could help log you in or progress you elsewhere.

If the site is running WordPress, try wpscan. It’s gotten me admin creds in the past. Example below (use -e to enumerate everything):

If the site has upload functionality, chances are this is how you’re going to get your first shell. Experiment with different file types (this is where knowing the OS comes in handy) and different naming conventions. Google “file upload pentesting” if you need a cheat sheet for file upload. Also, I’ve seen lots of beginners toss web shells onto a box and start freaking out on Reddit because their nc listener didn’t do anything.. Whether you upload a reverse shell or a web shell, you’ll need to know where the uploads get stored so you can manually navigate to the directory and execute it. The difference between a reverse shell and a web shell is that the web shell only gives you remote code execution (RCE) inside the website, whereas the reverse shell will connect back to your nc listener and give you a shell.

Port 139/445 — SMB/SAMBA

Server Message Block (SMB) is basically just a protocol that allows computers to access each other’s shares (directories/files). In Windows it’s SMB, in Linux it’s SAMBA.

If you don’t have creds try all of the enumeration techniques unauthenticated, then once you find some creds see if you can use them to re-run the enumeration and maybe some of those previously restricted shares will allow you to access them.

Enumerate everything (users, groups, shares, domains, etc.. if it works):

Manually enumerate shares:

Port 389/636 — LDAP/S

LDAP is like a hierarchical phone book for Active Directory. It provides lots of info about the domain. I included some LDAP enumeration in my “Active Directory Cheat Sheet” post. For CTFs, typically the most useful thing I’ll pull from LDAP enumeration is a list of domain users and sometimes even some default passwords. I usually use crackmapexec to verify the passwords against the list of users I found.

Grab all of the naming contexts:

Once you’ve found the naming contexts, enumerate them:

There’s more you can do to narrow your search, but I usually manually check some of the entries once I search on specific naming contexts then I’ll grep for some of the more interesting items. Like if there’s an entry called “default_pw” in every entry of a specific naming context I’ll just grep for “default_pw” or grep “users” or any other interesting thing I want to grab a list of.

Port 3306 — MySQL

MySQL is a SQL database. If you find creds for it you may be able to access it from your attack box. Sometimes in a netstat on the target box you’ll see that port 3306 is listening locally.. If you have the creds you can try running these commands from the target box, or you can set up port forwarding so you can access it from your attack box.

Port 3389 — RDP

RDP is Remote Desktop Protocol, essentially gives you GUI access to login to another computer. If you find creds to a user and aren’t sure how else to gain access, try RDP. It’s saved me a few times.

You can also try rdesktop, but xfreerdp has given me the most success in the past.

Shells

http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

https://github.com/reider-roque/pentest-tools/tree/master/shells

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md

MSFVenom Reverse Shell Payload Cheatsheet (with &amp; without Meterpreter)

Encrypt and Anonymize Your Internet Connection for as Little as $3/mo with PIA VPN. Learn More There are tons of…

infinitelogins.com

The above links have some resources for compiling your own reverse shells (MSFVenom) as well as simple one-liners depending on what commands your target has access to. Make sure you understand the OS you’re trying to exploit so you can rule out certain shells. For example, if you’re trying to get a reverse shell via file upload on a Windows web server you’d want to steer towards asp or aspx files, whereas a Linux web server you may want to try PHP.

If I have access to a Windows box or the web server can execute exe’s I like to make my own reverse shell to place on target:

If you have a “dumb shell”, upgrade it:

https://zweilosec.github.io/posts/upgrade-windows-shell/ [rlwrap is a helpful one for Windows shells, just add rlwrap in front of your normal nc listener command]

If on a Linux box type “tty” -> if it says “not a tty”:

File Transfers

If you’re trying to transfer a file to the target, make sure you have a web server set up in the dir your file is in:

File transfer from a Windows box:

File transfer from a Linux box:

Sometimes none of the above examples can be used, so you have to set up an SMB server on kali using impacket-smbserver [google it].

Transferring file TO attack box [I use this a lot to transfer SharpHound results]:

Privilege Escalation

There is so much that goes into privilege escalation I could write several posts on specific types of privesc methods per OS. However, I’m just running through my thought process when it comes to privesc.

Linux

  • run “sudo -l” [this will show you what commands can be run as root without root’s password]. If an entry exists, use GTFOBins to get the necessary command to privesc to root: https://gtfobins.github.io/
  • what user are you? “whoami”
  • Check all user directories in /home (use “ls -lisa” to view hidden files) for files that aren’t typically present. They may have sensitive info, indicate that there’s additional software on the box you can exploit, or the user might have an accessible SSH key in their .ssh directory. Check out .bash_history as well.
  • Check /tmp for any temporary files that are abnormal to a typical Linux instance.
  • Check cron jobs (linpeas.sh will do this for you)
  • Check /opt for additional software installed on the box.
  • Check “netstat -ano” to see what ports are listening, maybe you’ll find one only locally listening.
  • If a web server is running, check /var/www/<insert web directory> for interesting files. Some may contain creds.
  • Check “ps -ef” to see what processes are running as root. Maybe one of these will be what we need to take over.
  • Check /etc/passwd to see which users can log into the box, in case it’s a multi-user operation and one of them doesn’t have a home directory.
  • Run linpeas.sh — Parse through the output. Ones highlighted yellow are almost guaranteed to be a privesc method. Towards the bottom of the output it checks all files for creds (not 100% accurate, but it’s found creds for me in the past).

Chances are high that something in this enumeration will be your privesc method, it’s up to you to find and exploit it. If the intended path for exploitation wasn’t identified in any of this enumeration, Google “linux privilege escalation cheat sheet”.

Windows

I really dislike Privesc in Windows.. There are a ton of different privesc vectors, many dependent on the OS. A lot of the privesc methods I’ve come across are usually found as a result of Googling “Windows <OS version> exploit”, or it’s a software misconfiguration. It’s much less straight forward than Linux in my opinion, but it gets easier once you do it enough.

  • Same as with Linux, check all of the typical directories: any user home directory, the Windows\Temp directory, if there’s a web server check all the files in the directory, check “Program Files” for additionally installed software, etc.
  • Check “systeminfo” to get a lay of the land.
  • Check “whoami /priv” to see what privileges the current user is assigned.
  • Use windows-exploit-suggester. It just needs the output from systeminfo and it’ll suggest some exploits for you (runs locally on attack box — Google it).
  • If you have trouble compiling any binaries for kernel exploits, check out binsploits. It’s a collection of pre-compiled kernel exploits. They don’t always work but have a pretty good track record. https://github.com/offensive-security/exploitdb-bin-sploits/tree/master/bin-sploits
  • Run winpeas to see if it can identify anything out of the ordinary. Itcan help you identify JuicyPotato/RottenPotato, possible unquoted service paths, maybe some dll injection, etc.. There is a lot of output from winpeas, not all of it is exploitable. You’ll learn over time what continuously pops up in every scan. The goal is to find the software that isn’t typically on a regular user’s computer, then if it pops up in the unquoted service path possibilities or DLL Injections take a look at it.
  • I have two one-liners I use sequentially to determine what files have weak permissions:

And that’s it! I know it’s not a very specific or in-depth cheat sheet, but it’s hard to cover all of the avenues and vectors without having to just write up specific guides/tutorials. Which I do plan on doing, but I’ve had a few requests for a basic pentesting cheat sheet. So here it is! Consider following me on here for more in the future 🙂

    Leave Your Comment Here

    This site uses Akismet to reduce spam. Learn how your comment data is processed.