Tryhackme:CC: Pen Testing(PART-1)

jagadeesh
8 min readMar 26, 2021

--

A crash course on various topics in penetration testing

[Section 1 — Network Utilities] — nmap:

nmap is one of the most important tools in a pen testers arsenal. It allows a pen tester to see which ports are open, and information about which services are running on those ports. Ergo this task will focus on showing you nmap’s various flags. The beginning questions can be completed by using the nmap man page; The final questions will require you to deploy the machine.

1.What does nmap stand for?

A:network mapper

2.How do you specify which port(s) to scan?

A:-p

3.How do you do a “ping scan”(just tests if the host(s) is up)?

A:-sn

4.What is the flag for a UDP scan?

A:-sU

5.How do you run default scripts?

A:-sC

6.How do you enable “aggressive mode”(Enables OS detection, version detection, script scanning, and traceroute)

A:-A

7.What flag enables OS detection

A:-O

8.How do you get the versions of services running on the target machine

A:-sV

9.Deploy the machine

A:no answer need

10.How many ports are open on the machine?

A:1

11.What service is running on the machine?

A:Apache

12.What is the version of the service?

A:2.4.18

13.What is the output of the http-title script(included in default scripts)

A:Apache2 Ubuntu Default Page: It works

[Section 1 — Network Utilities] — Netcat:

Netcat aka nc is an extremely versatile tool. It allows users to connect to specific ports and send and receive data. It also allows machines to receive data and connections on specific ports, which makes nc a very popular tool to gain a Reverse Shell.

After you connect to a port with nc you will be able to send data, this also has the consequence of the user being able to pipe data through nc. For example one can doecho hello | nc <ip> 1234 to send the string hello to the service running on port 1234

Note: There are multiple versions of nc, so if you are unable to find an answer in your specific man page, try reading the man page for others!

1.How do you listen for connections?

A:-l

2.How do you enable verbose mode(allows you to see who connected to you)?

A:-v

3.How do you specify a port to listen on

A:-p

4.How do you specify which program to execute after you connect to a host(One of the most infamous)?

A:-e

5.How do you connect to udp ports

A:-u

[Section 2 — Web Enumeration] — gobuster:

One of the main problems of web penetration testing is not knowing where anything is. Basic reconnaissance can tell you where some files and directories are; however, some of the more hidden stuff is often hidden away from the eyes of users. This is where gobuster comes in, the idea behind gobuster is that it tries to find valid directories from a wordlist of possible directories. gobuster can also be used to valid subdomains using the same method.

The beginning questions of this task use the gobuster man page, while the latter questions will use a virtual machine.

In the event your operating system does not provide the gobuster man page, please use gobuster — help

1.How do you specify directory/file brute forcing mode?

A:dir

2.How do you specify dns bruteforcing mode?

A:dns

3.What flag sets extensions to be used?

Example: if the php extension is set, and the word is “admin” then gobuster will test admin.php against the webserver

A:-e

4.What flag sets a wordlist to be used?

A:-w

5.How do you set the Username for basic authentication(If the directory requires a username/password)?

A:-u

6.How do you set the password for basic authentication?

A:-p

7.How do you set which status codes gobuster will interpret as valid?

Example: 200,400,404,204

A:-s

8.How do you skip ssl certificate verification?

A:-k

9.How do you specify a User-Agent?

A:-a

10.How do you specify a HTTP header?

A:-h

11.What flag sets the URL to bruteforce?

A:-u

12.Deploy the machine

A:no answer need

13.What is the name of the hidden directory

A:secret

14.What is the name of the hidden file with the extension xxa

A:password

[Section 2 — Web Enumeration] — nikto:

nikto is a popular web scanning tool that allows users to find common web vulnerabilities. It is commonly used to check for common CVE’s such as shellshock, and to get general information about the web server that you’re enumerating.

1.How do you specify which host to use?

A:-h

2.What flag disables ssl?

A:-nossl

3.How do you force ssl?

A:-ssl

4.How do you specify authentication(username + pass)?

A:-id

5.How do you select which plugin to use?

A:-plugins

6.Which plugin checks if you can enumerate apache users?

A:apacheusers

7.How do you update the plugin list

A:-update

8.How do you list all possible plugins to use

A:-list-plugins

[Section 3 — Metasploit]: Intro:

Metasploit is one of the most popular penetration testing frameworks around. It contains a large database of almost every major CVE, which you can easily use against a machine. The aim of this section is to go through some of the major features of metasploit, and at the end there will be a machine that you will need to exploit.

[Section 3 Metasploit]: Setting Up:

Once you have installed metasploit through either the installer or your distributions repos, you will have many new commands available to you. This section will primarily focus on the msfconsole command.

Running that command will present you with an “msf5” prompt which will allow you to enter commands. All tasks can be answered with use of the “help” command.

1.What command allows you to search modules?

A:search

2.How do you select a module?

A:use

3.How do you display information about a specific module?

A:info

4.How do you list options that you can set?

A:options

5.What command lets you view advanced options for a specific module?

A:advanced

6.How do you show options in a specific category

A:show

[Section 3 — Metasploit]: — Selecting a module:

Once you have found the module for the specific machine that you want to exploit, you need to select it and set the proper options. This task will take you through selecting and setting options for one of the most popular metasploit modules “eternalblue”. All basic commands that could be run before selecting a module can also be done while a module is selected.

1.How do you select the eternalblue module?

A:set exploit/windows/smb/ms17_010_eternalblue

2.What option allows you to select the target host(s)?

A:RHOSTS

3.How do you set the target port?

A:RPORT

4.What command allows you to set options?

A:set

5.How would you set SMBPass to “username”?

A:set SMBPass username

6.How would you set the SMBUser to “password”?

A:set SMBUser password

7.What option sets the architecture to be exploited?

A:arch

8.What option sets the payload to be sent to the target machine?

A:payload

9.Once you’ve finished setting all the required options, how do you run the exploit?

A:exploit

10.What flag do you set if you want the exploit to run in the background?

A:-j

11.How do you list all current sessions?

A:sessions

12.What flag allows you to go into interactive mode with a session(“drops you either into a meterpreter or regular shell”)

A:-i

[Section 3 — Metasploit]: meterpreter:

Once you’ve run the exploit, ideally it will give you one of two things, a regular command shell or a meterpreter shell. Meterpreter is metasploits own “control center” where you can do various things to interact with the machine. A list of commonmeterpreter commands and their uses can be found here

Note: Regular shells can usually be upgraded to meterpreter shells by using the module post/multi/manage/shell_to_meterpreter

1.What command allows you to download files from the machine?

A:download

2.What command allows you to upload files to the machine?

A:upload

3.How do you list all running processes?

A:ps

4.How do you change processes on the victim host(Ideally it will allow you to change users and gain the perms associated with that user)

A:migrate

5.What command lists files in the current directory on the remote machine?

A:ls

6.How do you execute a command on the remote host?

A:execute

7.What command starts an interactive shell on the remote host?

A:shell

8.How do you find files on the target host(Similar function to the linux command “find”)

A:search

9.How do you get the output of a file on the remote host?

A:cat

10.How do you put a meterpreter shell into “background mode”(allows you to run other msf modules while also keeping the meterpreter shell as a session)?

A:background

[Section 3 — Metasploit]: Final Walkthrough:

It’s time to put all the other metasploit tasks together and test them on an example machine. This machine is currently vulnerable to the metasploit module exploit/multi/http/nostromo_code_execon port 80, and this task will take you through the process of exploiting it and gaining a shell on the machine.

1.Select the module that needs to be exploited

A:exploit/multi/http/nostromo_code_exec

2.What variable do you need to set, to select the remote host

A:RHOSTS

3.How do you set the port to 80

A:RPORT

4.How do you set listening address(Your machine)

A:LHOST

5.Exploit the machine!

A:no answer need

6.What is the name of the secret directory in the /var/nostromo/htdocs directory?

A:s3cretd1r

7.What are the contents of the file inside of the directory?

A:Woohoo!

Section 4 — Hash Cracking]: Intro:

Often times during a pen test, you will gain access to a database. When you investigate the database you will often find a users table, which contains usernames and often hashed passwords. It is often necessary to know how to crack hashed passwords to gain authentication to a website(or if you’re lucky a hashed password may work for ssh!).

[Section 4 — Hash Cracking]: Salting and Formatting:

No matter what tool you use, virtually all of them have the exact same format. A file with the hash(s) in it with each hash being separated by a newline.

Example:

<hash 1>

<hash 2>

<hash 3>

Salts are typically appended onto the hash with a colon and the salt. Files with salted hashes still follow the same convention with each hash being separated by a newline.

Example:

<hash1>:<salt>

<hash2>:<salt>

<hash3>:<salt>

Note: Different hashing algorithms treat salts differently. Some prepend them and some append them. Research what it is you’re trying to crack, and make the distinction.

please everyone join my telegram channel :https://t.me/hackerwheel

please everyone join my youtube channel :https://www.youtube.com/channel/UCl10XUIb7Ka6fsq1Pl7m0Hg

Hackerwheel
Change the world
https://t.me/hackerwheel

happy hacking……….

--

--

jagadeesh
jagadeesh

Written by jagadeesh

CTF-PLAYER, security analyst, Pentesting, vapt, digital forensics

No responses yet