Reviewing the Practical Network Penetration Tester (PNPT) Course Pt. 4
Previously I covered the Ethical Hacker Methodology and Reconnaissance sections of the Practical Ethical Hacking — The Complete Course. That review covered the typical methodology and processed used by ethical hackers when working through a penetration testing engagement as well as how to gather information necessary to establish a starting point for a test. We learned about gathering information through Open Source Intelligence (OSINT) gained through Social Media networks, credentials obtained via previous data breaches, common tools to enumerate subdomians, and the “Google Fu” techniques that can be used to perform tailored searches to retrieve valuable information available to the public.
Let’s dive into the Practical Ethical Hacking — The Complete Course: Scanning and Enumeration and Exploitation Basics
Using arp-scan -l
or netdiscover r x.x.x.0/24
after you’ve identified your IP address to address anything on the network and list connected devices.
Note: the x.x.x comes from the first three octets of your IP address.
Once we’ve identified the IP address of the target machine, we can use Nmap to identify open ports and services using a modified version of the SYN SYNACK ACK process (which now looks like SYN SYNACK RST). Running a “stealth” scan using nmap occurs using when using the nmap along with the -sS
flag. While this once went undetectable by network security, most new networks with decent security practices should detect this scan. The “stealth” comes from the user of the RST flag, meaning a connection isn’t actually established, rather the port reveals that it’s available and no connection is made.
The material then continues to cover basic Nmap usage such as the -p
and -T
flags and explaining some of the configuration options shown with the --help
flag. Reviewing these configuration options and getting more familiar with the tools will make your scanning much more customizable based on your testing needs. By identifying the open ports and the services being run on them, we can learn information such as the technology, version, supported connection methods and further enumerate them to determine potential weaknesses and vulnerability points on the network.
Once you’ve identified ports to explore, additional enumeration can be done. A great first step when you’ve noticed web servers running on a network is to explore them. By navigating to the open ports (typically found on Ports 80 and 443), you can start to identify underlying services. During the course Heath explains the information that can be gained when you encounter default landing pages such as the Apache Test Page. Default pages can often indicate poor security hygiene by showing a disregard for configuration and lead to other information disclosure. Another step in the enumerating a web server is through the use of directory listing, utilizing brute-force or a wordlist containing common directory paths, to determine what can be accessed within the application. Heath highlights the Nikto tool and how it can be used to detect server configuration and directory enumeration.
A basic Nikto scan can be run by using the nikto -h [Target IP Address]
command
In addition to Nikto, Heath also highlights other possible directory enumeration tools such as Dirbuster, Dirb, and GoBuster.
Moving away from web enumeration, the material covers how to enumerate SMB services and how useful tools such as Metasploit can be. While Metasploit offers a wide-range of modules to use, the main one utilized within the course for SMB enumeration is auxiliary/scanner/smb/smb_version
. After properly configuring the module, the Samba version is returned and we can attempt to connect through the terminal via the smbclient -L \\\\IP Address\\
command. After connecting we learn more about Anonymous login configuration and how the file share can be accessed within any authentication credentials and the limitations this can have when attempting to access additional resources within the file share.
After touching the SMB service, the material moves on to cover information that can be learned through connection attempts via the SSH service such as supported cipher and the RSA key fingerprint.
Once you have gained an idea of the ports, services, and other resources available on your target machine, a tester can start to use this information to research potential vulnerabilities associated with these technologies and find previously disclosed exploits. A great place to research exploits for known vulnerabilities would be Exploit Database as well as CVE Details and Rapid7. Some of these resources may provide you with Proof of Concept (POC) exploits or previously-made modules for use during your test. Additionally, Heath highlights the built-in SearchSploit tool that allows you to search the Exploit Database directly from your local computer.
Now that we’ve explored the scanning and enumeration phase of the Ethical Hacking methodology we can start to move on to the active exploitation of our discovered vulnerabilities. When exploitation a remote machine it is important to understand the basic differences between a reverse shell and a bind shell. Heath does an amazing job explaining that a reverse shell occurs when a target machine connects back to the listening/attacking machine where as a bind shell happens when the attacking machine reaches out to the target machine and connects to an available and actively listening port. Additionally, when utilizing payloads to execute an exploit, it is crucial to understand the differences between staged and non-staged payload.
- Staged Payloads: Send payloads in stages and can be less stable
- Non-Staged Payload: Send exploit code all at once, are larger in size, and may not always work
Once the fundamental information is covered the material covers how to exploit a vulnerable version of Samba through a previously-discovered vulnerability and exploit it via the linux/samba/trans2open
Metasploit module. This exploit is then used to create a reverse shell and gain “root” or the highest administrative-level access to the machine. To ensure students are given a full picture for how multiple vulnerabilities can be used to obtain access to a machine, Heath continues to walk through how to utilize a known vulnerability within the OpenSSL service running on the machine. This addition adds immense value to the material, by not only highlighting multiple methods to gain access to the system, but also through manually exploitation rather than a reliance on automated toolkits which may not always be applicable to a give test environment.
To end the two modules, Heath covers how to target the SSH service running on the target machine through the use of a Brute Force attack, utilizing a list of potential usernames and passwords in an attempt to gain access. Another great way to compromise the service is through the use of Credential Stuffing, injecting account credentials obtained from a breach with the hope of a successful account login.
Moving on from these sections, the course includes a mid-point Capstone that is meant to challenge the knowledge gained up to this point. After this we start to move onto Exploit Development with an emphasis placed on Buffer Overflow attacks as well as the exploitation of Active Directory services.