Jun
19
2020
0

Ethical Hacking and Penetration Testing_Final Project Tools and Journey to Get Root Access

Disclaimer: My post is for academic purposes only, How to use this information is the visitor’s responsibility.

Our team decided that for the Final Project, we want to try something different from the other groups. Since most of the lesson that is taught in the class is involving the Linux operating system as a target for our lesson, we try to dabble in Windows server operating system as our Final Project target. Since we have to found a third party, we try a target server from the Hackthebox website.

Since we are dealing with Windows Server, the tools that are taught in the class that is useful is effectively reduced, therefore we tried to learn from the ground up on how to enumerate a windows server. Upon further inspection, we are dealing with an Active Directory Server from our initial port scanning, therefore, we tried to search for tools that can help us on enumerating the server and we found 3 tools which are useful for our initial enumeration of the server which is Enum4Linux, rpcclient, and ldapsearch.

Enum4Linux is a tool for enumerating information from Windows and Samba systems. The tools can be used to search, for example, shares directory of a server, the username that is in the server as long as we provide a credential to the server. Since on the initial recon we did not get anything yet, I tried to use anonymous login and although we got the users for the server, we did not get any shares directories, but later on, after we got our first user credential we tired to enumerate the service again using the user credential and found the shares directory of the server.

rpcclient is utility initially developed to test MS-RPC functionality in Samba itself. I use rpcclient to enumerate the users of the server and like enum4linux I tried to use anonymous login and successfully got in with anonymous login. After we got in, we tried a lot of commands that listed on rpcclient but since we are using anonymous login, most of the command got denied and I only get the username on the server.

ldapsearch is a command-line tool that opens a connection to an LDAP server, binds to it, and performs a search using a filter. Since our first port scanning, we found an LDAP port on port 389 and 3268 and using ldapsearch we got to connect to the port and on port 389 I found a lot of information regarding of the users and after some sorting from the data, I found an encrypted password of a user and decrypt it.

Since our team got the first user, we tried to connect to the samba itself with smbclient using out newly obtained user credential.

smbclient is samba client with an “FTP like” interface. It is a useful tool to test connectivity to a Windows share. With the user credential, we successfully establish a connection to the windows share and on there we found an information on the second and third user credentials. But the third credentials can only be found on a window share that the 2nd user has access too so after we got the second user credential we enumerate again using the second credential with previously mentioned tools and smbclient and found an admin user. For decrypting the password of the 2nd user, I use msfconsole decrypt the 2nd user password, the details on how we do it is on https://github.com/frizb/PasswordDecrypts.

since we got all the credentials we need, we tried to establish a remote windows connection by using evil-winrm.

Evil-winrm is a WinRM(Windows Remote Management) shell for hacking/pen-testing since I don’t want to prepare a windows virtual machine i use this instead. Out of the three users, only two of the is capable os establishing windows remote management shell to the server and after some enumeration on previous window share file and checking each user privilege, I found that the third user has a delete function and we check the delete function and found that the deleted file contains the admin credentials by using Get-ADObjects.

The Get-ADObject cmdlet gets an Active Directory object or performs a search to get multiple objects. By using the cmdlet, we tried to restore the file but fail to do so and after some searching, on https://docs.microsoft.com/en-us/powershell/module/addsadministration/get-adobject?view=win10-ps I found that we can try to look at the content of the deleted file without restoring it and on there we found the admin credentials. After that, I tried to establish a connection with the admin credential and we got into the shell with the admin credential.

Written by muhammaddaffa in: Other |
Jun
16
2020
0

Week_10_Ethical Hacking and Penetration Testing_Privilege Escalations

Disclaimer: My post is for academic purposes only, How to use this information is the visitor’s responsibility.

This week, I have learned about privilege escalations. Privilege escalations are the act of exploiting a bug, design flaw, or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. There are no set rules of how to do privilege escalations since every server have different ways to do privilege escalations. You can bruteforce your way for the admin password or you can use man in the middle attackand many more.

For brute force attack, you need a wordlist that contain words for the attack, usually this attack is not recommended because of how long the attack will succeed and it have a very low chance of succeeding with this attack. You can use tools such as crunch to make the wordlist for the attack and depending on the target, you can use many tools to initiate the brute force attack, for example you can use aircrack to bruteforce a wifi password. 

Man in the middle attack is an attack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other. There are a lot of ways to do man in the middle attack, you can use tools such as ettercap or do it manually via social engineering.

Written by muhammaddaffa in: Other |
Jun
16
2020
0

Week_9_Ethical Hacking and Penetration Testing_Target Exploitation

Disclaimer: My post is for academic purposes only, How to use this information is the visitor’s responsibility.

This week, I have Learned about target exploitation. In this post, I’m going to explain tools such as msfconsole and msfvenom.

msfconsole and msfvemon is a part of the Metasploit project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development.

I usually use msfconsole to make a listener to my target in case my exploit is working on the target.

msfvenom on the otherhand have different functionality from msfconsole. I usually use msfvemon to make a harmfiul malware that will be sent to target usually via social engineering attempt.

With these two tools, you can exploit an android device by sending a apk filled with malware to an android and use mfsconsole as a listener in case the target open the malware apk.

Written by muhammaddaffa in: Other |
Jun
16
2020
0

Week_8_Ethical Hacking and Penetration Testing_Social Engineering

Disclaimer: My post is for academic purposes only, How to use this information is the visitor’s responsibility.

This week, I have learned about social engineering. The tools that I’m going to explain is gophish that specialize on phising.

Gophish is an open-source phishing toolkit meant to help pentesters and businesses conduct real-world phishing simulations.

In Gophish dashboard, There are 5 tabs that are needed to be filled in order to be use gophish which is Sending Profile, Landing Page, Email Template, Users and Groups, and the last is Campaign tab.

•Sending Profile: Data that is used to be the sender of the phishing email

•Landing Page: Login page that will be used to extract data from victim •Email Template: The email that will be sent to the victim

•Users and Groups: List of the victim email address

•Campaign: Tab to initialize the email phishing simulation.

I personally like gophish because of the tool ability to have multiple phishing attempts at the same time as well as a very easy tool to learn and making customized page is very easy here.

Written by muhammaddaffa in: Other |
Jun
16
2020
0

Week_7_Ethical Hacking and Penetration Testing_SET TOOLKIT

Disclaimer: My post is for academic purposes only, How to use this information is the visitor’s responsibility.

This week, I have Learned about social engineering toolkit. Personally, I don’t really like social engineering tools but nevertheless, it is a very good tool if you want to try dabbling in social engineer.

Social engineering toolkit, in short, is a tool for social engineering with many features such as email phising, web cloning, phone phising and many more. I usually use social engineering toolkit for web cloning but even then it is for me is very limited, for one once you clone a website, you need to delete the html file of the clone website first if you want to clone another website on the same session, also at least for me updating SET kit is very annoying hence why I rarely use this tools but other than that flow, it is a very good tool.

Written by muhammaddaffa in: Other |
Jun
16
2020
0

Week_6_Ethical Hacking and Penetration Testing_Vulnerability Mapping

Disclaimer: My post is for academic purposes only, How to use this information is the visitor’s responsibility.

This week, I have Learned about Vulnerability mapping. I usually do Vulnerability mapping with Nessus.

Nessus is an open-source network vulnerability scanner that uses the Common Vulnerabilities and Exposures architecture for easy cross-linking between compliant security tools.

Using Nessus is personally for me is only to know what is the vulnerability on the ip address and i usually use this not as a pentest tools but rather as a blue team for my server. After i use nessus and the vulnerability is shown, I tried to resolve the issue according to the vulnerability on the Nessus report.

Written by muhammaddaffa in: Other |
Jun
16
2020
0

Week_5_Ethical Hacking and Penetration Testing_Enumerating Target

Disclaimer: My post is for academic purposes only, How to use this information is the visitor’s responsibility.

This week, I have Learned about enumerating target. In this post, I will tell you tools that are used to enumerate target for windows servers such as Ldapsearch, enum4linux, and rpcclient.

The ldapsearch tool issues search requests to an Lightweight Directory Access Protocol (LDAP) directory and displays the result as LDAP Data Interchange Format (LDIF) text. Its many options allow you to perform different types of search operations, from simple entry retrieval to advanced searches that involve security or directory referrals. The simplest way to use ldapsearch is by using -x on the command which mean for simple authentication.

Enum4linux is used to extract information from Windows and samba hosts. Personally, I used enum4linux to search for share directories on a windows server and check the server if anonymous login is enabled on the server. In enum4linux, you can search share directories, groups, usernames, etc.

rpcclient is a tool initially developed to test MS-RPC functionality in Samba itself. in rpcclient, there are many commands that are useful for getting information on the target like enumusers, enumgroup, and many more. depending on the credentials that you use, not all rpcclient functions are going to work and some functions might be denied because the credential doesn’t have the authorization to use it.

Written by muhammaddaffa in: Other |
Jun
16
2020
0

Week_4_Ethical Hacking and Penetration Testing_Target Discovery

Disclaimer: My post is for academic purposes only, How to use this information is the visitor’s responsibility.

This week, I have Learned about Target’s discovery. Target discovery is a very important skill that a pentester needs to have in order to successfully enter a target server. One of the most popular tools that is used in target discovery is nmap.

nmap is an open-source tool for vulnerability scanning and network discovery. Network administrators use Nmap to identify what devices are running on their systems, discovering hosts that are available and the services they offer, finding open ports, and detecting security risks.

I personally use nmap to discover open ports on a target. There are many ways to use nmap other that port discovery, for example, you can use nmap with krb5 script to find a list of users on a kerberos.

Using nmap is also very useful when you want to know which version of a port is, for example, you can know what version of a windows server by using nmap, also keep in mind when you use nmap it is better to specify the port number that you want to scan since default nmap search only going to scan from ports 1-10000 and if you want to scan other ports other than that you need to specify it.

Written by muhammaddaffa in: Other |
Jun
16
2020
0

Week_3_Ethical Hacking and Penetration Testing_Utilizing search engines

Disclaimer: My post is for academic purposes only, How to use this information is the visitor’s responsibility.

This week, I have learned how to use search engines as tools to improve my pentesting skill and using google is one such way to find vulnerability on a target.

One way to utilize search engines is called google hacking or Dorking. Google Dorking is an information-gathering technique used by an attacker leveraging advanced Google searching techniques. Google hacking search queries can be used to identify security vulnerabilities in web applications, gather information for arbitrary or individual targets, discover error messages disclosing sensitive information, discover files containing credentials, and other sensitive data.

For example, Google Dorking, google dorking can search query that will list SQL files that have been indexed by google or websites.

Written by muhammaddaffa in: Other |
Jun
16
2020
0

Week 2_Ethical_Hacking_Class_Target Scoping • Information Gathering

Disclaimer: My post is for academic purposes only, How to use this information is the visitor’s responsibility.

On this week I have learn information gathering skill for pentesting with tools such as whois lookup, dnsenum.

WHOIS lookup is a way for you to search the public database for information about a specific domain, such as the expiration date, current registrar, registrant information, etc.

Whois lookup is very useful if you want to know for what your user is capable as for example you can use whois lookup to know which action the user is authorized to do.

DNSenum is a tool that it was designed with the purpose of enumerating DNS information about a domain. It is useful for pentesting that involves a web.

DNSenum can be used to find subdomains by initiating DNS Zone Transfer to the target.

Written by muhammaddaffa in: Other |

Powered by WordPress. Theme: TheBuckmaker. Zinsen, Streaming Audio