SlideShare ist ein Scribd-Unternehmen logo

Network Penetration Testing

•Als PPTX, PDF herunterladen•
•
Mohammed Adam
Mohammed Adam

The Slides deck contains Network penetration testing requirements & Tools used in real world pentesting. For Demo purposes, I had used a vulnhub machine called Metasploitable 2 for testing purposes. Looking into various Ports and Services Vulnerabilities using Kali open source tools.

Technologie
1 von 51
Network Penetration Testing
Agenda Network Penetration Testing • Information gathering • Port scanning with Nmap • Vulnerability Assessment with Nessus & OpenVas • Exploiting Network Services & Web Vulnerabilities • Privilege Escalation • Password Cracking with John the Ripper & Hash cat • Clearing the tracks
Information gathering • Information gathering requires careful planning, research, and most importantly, the ability to think like an attacker. At this step, you will attempt to collect as much information about the target environment as possible. • There are two types of information gathering: passive and active. 1) Passive information gathering • Using passive information gathering, you can discover information about targets without touching their systems. 2) Active information gathering • In active information gathering, we interact directly with a system to learn more about it. We might conduct port scans for open ports on the target or conduct scans to determine what services are running. Each system or running service that we discover gives us another opportunity for exploitation. • But beware If you get careless while active information gathering, you might be nabbed by an IDS or intrusion prevention system (IPS).
Information gathering (Contd.)
Information Gathering in Metasploitable 2 • Since our vulnerable machine running in same network, we can run netdiscover command to check the IP address of Metasploitable 2 Machine
Port Scanning with Nmap • Nmap is a network scanner created by Gordon Lyon. • Nmap is used to discover hosts and services on a computer network by sending packets and analyzing the responses. • Nmap provides a number of features for probing computer networks, including host discovery and service and operating system detection • Nmap is a command-line network scanner used to detect hosts and services. • Zenmap is a GUI version of Nmap. • Nmap can be used by hackers to gain access to uncontrolled ports on a system. All a hacker would need to do to successfully get into a targeted system would be to run Nmap on that system, look for vulnerabilities, and figure out how to exploit them.
Port Scanning with Nmap (Contd.) • Target Specification • Nmap Scan Techniques • Host Discovery • Port Specification • Service and Version Detection • OS Detection • Timing and Performance • Timing and Performance Switches • NSE Scripts • Useful NSE Script Examples • Firewall / IDS Evasion and Spoofing • Miscellaneous Nmap Flags Reference link: https://www.stationx.net/nmap-cheat-sheet/
Port Scanning with Nmap (Contd.) • nmap -p- -sV TargetIP (Scanning for open ports & Service version details)
Port Scanning with Nmap (Contd.) • nmap --script vuln -p- TargetIP (Kind of vulnerability Scan)
Vulnerability Assessment with Nessus In Nessus scanner Interface • 1) Click on New Scan • 2) Choose the Scan templates • 3) I'm choosing Advanced Scan - Scan template • 4) In Basic -> General -> Give some name & Targets • 5) In Discovery -> Disable Ping • 6) In Port Scan -> give Port scan range from 0-65535 • 7) If you have credentials provide the same - depends on operating system • For Windows authentication -> choose windows • For Linux authentication -> choose SSH • 8) In plugins section -> Disable Denial of Service • 9) Launch the scan • 10) View the results • 11) Export the reports as HTML, PDF, CSV Formats
Vulnerability Assessment with Nessus(Contd.) See the results difference between Unauthenticated & Authenticated scans
Exploiting Network Services & Web Vulnerabilities FTP – Port 21 • The File Transfer Protocol (FTP) is a standard communication protocol used for the transfer of computer files from a server to a client on a computer network. • FTP is built on a client–server model architecture using separate control and data connections between the client and the server. • Usage: • In Kali terminal - Use FTP Command connect to FTP Server – FTP TargetIP
Exploiting VSFTPD 2.3.4 • Use Searchsploit to find the relevant exploit for vulnerable software versions
Exploiting VSFTPD 2.3.4 (Contd.) • msf > use exploit/unix/ftp/vsftpd_234_backdoor • msf exploit (unix/ftp/vsftpd_234_backdoor) > set rhost TargetIP • msf exploit (unix/ftp/vsftpd_234_backdoor) > exploit
Brute forcing FTP Login • hydra -L user.txt -P pass.txt TargetIP ftp
Exploiting Port 22 - SSH SSH – Port 22 • The Secure Shell Protocol is a cryptographic network protocol for operating network services securely over an unsecured network. • Its most notable applications are remote login and command-line execution. • SSH applications are based on a client–server architecture, connecting an SSH client instance with an SSH server. • Usage: • Ssh root@TargetIP
Exploiting Port 22 - SSH (Contd.)
Exploiting port 23 - TELNET TELNET – Port 23 • Telnet is an application protocol used on the Internet or local area network to provide a bidirectional interactive text-oriented communication facility using a virtual terminal connection. • TELNET is commonly used by terminal emulation programs that allow you to log into a remote host. However, TELNET can also be used for terminal-to-terminal communication and interprocess communication. TELNET is also used by other protocols (for example, FTP) for establishing a protocol control channel. • Usage: Telnet TargetIP TargetPort
Exploiting port 23 - TELNET (Contd.)
Exploiting port 23 - TELNET (Credential Capture)
Exploiting port 23 - TELNET (Contd.)
Exploiting Port 25 - SMTP • SMTP – Port 25 • The Simple Mail Transfer Protocol is an Internet standard communication protocol for electronic mail transmission. • Mail servers and other message transfer agents use SMTP to send and receive mail messages. • The client who wants to send the mail opens a TCP connection to the SMTP server and then sends the mail across the connection. The SMTP server is an always-on listening mode. • As soon as it listens for a TCP connection from any client, the SMTP process initiates a connection through port 25. After successfully establishing a TCP connection the client process sends the mail instantly.
Exploiting Port 25 - SMTP (Contd.) • smtp-user-enum -M VRFY -U user.txt -t TargetIP
Exploiting Port 80 HTTP • Port 80 is the port number assigned to commonly used internet communication protocol, Hypertext Transfer Protocol (HTTP). • It is the default network port used to send and receive unencrypted web pages. • Visit http://metasploitable2IP • Check for hidden directories & files in webserver
Exploiting Port 80 HTTP (Contd.)
Exploiting Port 80 HTTP (Contd.)
Exploiting Port 139 & 445 • SMB is a network file sharing protocol that requires an open port on a computer or server to communicate with other systems. SMB ports are generally port numbers 139 and 445. • Port 139 is used by SMB dialects that communicate over NetBIOS. It operates as an application layer network protocol for device communication in Windows operating systems over a network. For example, printers and serials ports communicate via Port 139. • Port 445 is used by newer versions of SMB (after Windows 2000) on top of a TCP stack, allowing SMB to communicate over the Internet. This also means you can use IP addresses in order to use SMB like file sharing.
Exploiting Port 139 & 445 (Contd.) • Early versions of the SMB protocol were exploited during the WannaCry ransomware attack through a zero-day exploit called Eternal Blue. • WannaCry exploited legacy versions of Windows computers that used an outdated version of the SMB protocol. • WannaCry is a network worm with a transport mechanism designed to spread itself automatically. The transport code scans for systems vulnerable to the Eternal Blue exploit and then installs Double Pulsar, a backdoor tool, and executes a copy of itself. • It will then initiate an SMBv1 connection to the device and use buffer overflow to take control of the system and install the ransomware component of the attack.
Exploiting Port 139 & 445 (Contd.)
Exploiting Port 5432 - Postgres • PostgreSQL is used for Adaptive Authentication (TCP). • Port 5432 is opened for the Postgres database used in the Behavioral Analytics feature of PCS. • While scanning, customers may raise queries on 5432 Port as this port is enabled on the internal interface. However, an attacker cannot connect to it • On some default Linux installations of PostgreSQL, the Postgres service account may write to the /tmp directory and may source UDF Shared Libraries from there as well, allowing execution of arbitrary code
Exploiting Port 5432 – Postgres (Contd.)
Exploiting Port 6667 - UnrealIRCD • UnrealIRCd is an open-source IRC daemon, originally based on DreamForge, and is available for Unix-like operating systems and Windows. • Once users are connected to an IRC server, they can converse with other users connected to any server in the IRC network • IRC provides for group communication, via named channels, as well as personal communication through “private” messages. • UnrealIRCD backdoor - The remote IRC server is a version of UnrealIRCD with a backdoor that allows an attacker to execute arbitrary code on the affected host.
Exploiting Port 6667 - UnrealIRCD
Exploiting Port 36255 - distcc • Distcc (Daemon Command Execution) is designed to speed up compilation by taking advantage of unused processing power on other computers. • A machine with distcc installed can send code to be compiled across the network to a computer which has the distccd daemon and a compatible compiler installed. • distcc works as an agent for the compiler.
Exploiting Port 36255 – distcc (Contd.)
Remote Login Exploitation • A remote login is a tool that was used before ssh came into the picture. Since we have the login credentials for Metasploitable 2, we will be using Rlogin to connect to it, using the “-l” flag to define the login name. (rlogin -l msfadmin TargetIP)
Remote Shell Exploitation • Remote shell Protocol is another way to gain a remote shell, it is a legitimate service that we will use to access the target machine with login credentials to run a certain command (rsh -l msfadmin TargetIP ifconfig)
Exploiting Distributed Ruby (8787) • Distributed Ruby, also known as dRuby, or DRb, is a distributed object system for the Ruby programming language that allows for remote method calls between Ruby processes, even if they are on different machines. It uses its own protocol and is written entirely in pure Ruby. • This makes for a flexible service that developers can use to enhance certain programs, but it also opens up a security flaw when not properly implemented, such as in older versions of dRuby. • Since this is typically used for smaller projects and novice programs, there usually isn't a lot of concern for security issues.
Exploiting Distributed Ruby (8787)
Bind shell Exploitation – Port 1524 • Metasploitable 2 comes with an open bind shell service running on port 1524. We will be using Netcat to connect to it. • nc TargetIP 1524
Exploiting Port 5900 - VNC • Virtual Network Computing is a graphical desktop-sharing system that uses the Remote Frame Buffer protocol to remotely control another computer. • It transmits the keyboard and mouse input from one computer to another, relaying the graphical-screen updates, over a network. • This service can be exploited using a module in Metasploit to find the login credentials.
Exploiting Port 5900 – VNC (Contd.)
Exploiting Port 8180 - Apache Tomcat • Apache Tomcat is a free and open-source implementation of the Jakarta Servlet, Jakarta Expression Language, and Web Socket technologies. • It provides a "pure Java" HTTP web server environment in which Java code can also run. • Thus it's a Java web application server, although not a full JEE application server
Exploiting Port 8180 - Apache Tomcat (Contd.)
Exploiting Port 3306 - MYSQL • The MySQL database in Metasploitable 2 has negligible security, we will connect to it using the MySQL function of Kali by defining the username and host IP. The password will be left blank.
Exploiting Web Vulnerabilities
Privilege Escalation via Port 2049: NFS • In this method, we will be creating an ssh key without a passphrase and exchanging it with the ssh key of the victim machine for the root user. • We use ssh-keygen to generate an RSA keypair without a key phrase, then we place it in the “/root/.ssh” folder where the key is found by default. Once the key is created and placed, we will create a directory “/tmp/sshkey/” in our local machine. • We will be mounting the directory we just made on the victim machine using the Network File Sharing Function. Once mounted we write the key from our machine to the victim’s machine, a sort of an override, using the cat command. The thing to keep in mind here is that the key we have is without a passphrase so the after the override the key in the victim machine is also without a passphrase, so when it is connected using ssh, it’s using a blank password.
Privilege Escalation via Port 2049: NFS (Contd.) • showmount -e TargetIP • ssh-keygen • mkdir /tmp/sshkey • mount -t nfs TargetIP:/ /tmp/sshkey/ • cat ~/ .ssh/id_rsa.pub >>/tmp/sshkey/root/.ssh/authorized_keys • umount /tmp/sshkey • ssh root@TargetIP
Password Cracking with JTR & Hashcat • John the Ripper is a free password cracking software tool. Originally developed for the Unix operating system, it can run on fifteen different platforms. • Hashcat is a password recovery tool. It is a open source software. Examples of Hashcat-supported hashing algorithms are LM hashes, MD4, MD5, SHA-family and Unix Crypt formats • Example Hashes: https://hashcat.net/wiki/doku.php?id=example_hashes
Clearing the tracks • The final phase of every successful hacking attack is clearing the tracks. • It is very important, after gaining access and misusing the network, that the attacker cover the tracks to avoid being traced and caught.
THANK YOU !

Empfohlen

Metasploit framwork
Metasploit framworkMetasploit framwork
Metasploit framwork
Deepanshu Gajbhiye
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
Nezar Alazzabi
 
Nmap commands
Nmap commandsNmap commands
Nmap commands
Kailash Kumar
 
Introduction To Exploitation & Metasploit
Introduction To Exploitation & MetasploitIntroduction To Exploitation & Metasploit
Introduction To Exploitation & Metasploit
Raghav Bisht
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
n|u - The Open Security Community
 
Demo of security tool nessus - Network vulnerablity scanner
Demo of security tool nessus - Network vulnerablity scannerDemo of security tool nessus - Network vulnerablity scanner
Demo of security tool nessus - Network vulnerablity scanner
Ajit Dadresa
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
Rick Wanner
 
Metasploit
MetasploitMetasploit
Metasploit
henelpj
 

Empfohlen

Metasploit framwork
Metasploit framworkMetasploit framwork
Metasploit framwork
Deepanshu Gajbhiye
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
Nezar Alazzabi
 
Nmap commands
Nmap commandsNmap commands
Nmap commands
Kailash Kumar
 
Introduction To Exploitation & Metasploit
Introduction To Exploitation & MetasploitIntroduction To Exploitation & Metasploit
Introduction To Exploitation & Metasploit
Raghav Bisht
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
n|u - The Open Security Community
 
Demo of security tool nessus - Network vulnerablity scanner
Demo of security tool nessus - Network vulnerablity scannerDemo of security tool nessus - Network vulnerablity scanner
Demo of security tool nessus - Network vulnerablity scanner
Ajit Dadresa
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
Rick Wanner
 
Metasploit
MetasploitMetasploit
Metasploit
henelpj
 
Wireshark
WiresharkWireshark
Wireshark
Sourav Roy
 
Metasploit
MetasploitMetasploit
Metasploit
Lalith Sai
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
Michael Furman
 
Understanding NMAP
Understanding NMAPUnderstanding NMAP
Understanding NMAP
Phannarith Ou, G-CISO
 
Nmap
NmapNmap
Nmap
Sreekanth Narendran
 
Penetration testing
Penetration testingPenetration testing
Penetration testing
Ammar WK
 
Nmap tutorial
Nmap tutorialNmap tutorial
Nmap tutorial
Varun Kakumani
 
Nessus Basics
Nessus BasicsNessus Basics
Nessus Basics
amiable_indian
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTING
Er Vivek Rana
 
NMAP
NMAPNMAP
NMAP
PrateekAryan1
 
Packet sniffing
Packet sniffingPacket sniffing
Packet sniffing
Shyama Bhuvanendran
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
n|u - The Open Security Community
 
Nessus Software
Nessus SoftwareNessus Software
Nessus Software
Megha Sahu
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
Priyanka Aash
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
Abdul Wahid
 
Ch 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social EngineeringCh 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social Engineering
Sam Bowne
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
Ceh v5 module 03 scanning
Ceh v5 module 03 scanningCeh v5 module 03 scanning
Ceh v5 module 03 scanning
Vi TĂ­nh HoĂ ng Nam
 
Ceh v5 module 04 enumeration
Ceh v5 module 04 enumerationCeh v5 module 04 enumeration
Ceh v5 module 04 enumeration
Vi TĂ­nh HoĂ ng Nam
 
Nmap project presentation : Unlocking Network Secrets: Mastering Port Scannin...
Nmap project presentation : Unlocking Network Secrets: Mastering Port Scannin...Nmap project presentation : Unlocking Network Secrets: Mastering Port Scannin...
Nmap project presentation : Unlocking Network Secrets: Mastering Port Scannin...
Boston Institute of Analytics
 
Network Scanning Phases and Supporting Tools
Network Scanning Phases and Supporting ToolsNetwork Scanning Phases and Supporting Tools
Network Scanning Phases and Supporting Tools
Joseph Bugeja
 

Weitere ähnliche Inhalte

Was ist angesagt?

Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
Abdul Wahid
 

Was ist angesagt? (20)

Wireshark
WiresharkWireshark
Wireshark
 
Metasploit
MetasploitMetasploit
Metasploit
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
Understanding NMAP
Understanding NMAPUnderstanding NMAP
Understanding NMAP
 
Nmap
NmapNmap
Nmap
 
Penetration testing
Penetration testingPenetration testing
Penetration testing
 
Nmap tutorial
Nmap tutorialNmap tutorial
Nmap tutorial
 
Nessus Basics
Nessus BasicsNessus Basics
Nessus Basics
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTING
 
NMAP
NMAPNMAP
NMAP
 
Packet sniffing
Packet sniffingPacket sniffing
Packet sniffing
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
 
Nessus Software
Nessus SoftwareNessus Software
Nessus Software
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Ch 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social EngineeringCh 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social Engineering
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
Ceh v5 module 03 scanning
Ceh v5 module 03 scanningCeh v5 module 03 scanning
Ceh v5 module 03 scanning
 
Ceh v5 module 04 enumeration
Ceh v5 module 04 enumerationCeh v5 module 04 enumeration
Ceh v5 module 04 enumeration
 

Ă„hnlich wie Network Penetration Testing

Nmap project presentation : Unlocking Network Secrets: Mastering Port Scannin...
Nmap project presentation : Unlocking Network Secrets: Mastering Port Scannin...Nmap project presentation : Unlocking Network Secrets: Mastering Port Scannin...
Nmap project presentation : Unlocking Network Secrets: Mastering Port Scannin...
Boston Institute of Analytics
 
Packet Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing ConferencePacket Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing Conference
Cengage Learning
 
modul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdfmodul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdf
tehkotak4
 
Client side exploits
Client side exploitsClient side exploits
Client side exploits
nickyt8
 
metaploit framework
metaploit frameworkmetaploit framework
metaploit framework
Le Quyen
 
For your final step, you will synthesize the previous steps and la
For your final step, you will synthesize the previous steps and laFor your final step, you will synthesize the previous steps and la
For your final step, you will synthesize the previous steps and la
ShainaBoling829
 

Ă„hnlich wie Network Penetration Testing (20)

Nmap project presentation : Unlocking Network Secrets: Mastering Port Scannin...
Nmap project presentation : Unlocking Network Secrets: Mastering Port Scannin...Nmap project presentation : Unlocking Network Secrets: Mastering Port Scannin...
Nmap project presentation : Unlocking Network Secrets: Mastering Port Scannin...
 
Network Scanning Phases and Supporting Tools
Network Scanning Phases and Supporting ToolsNetwork Scanning Phases and Supporting Tools
Network Scanning Phases and Supporting Tools
 
Network scan
Network scanNetwork scan
Network scan
 
Phases of penetration testing
Phases of penetration testingPhases of penetration testing
Phases of penetration testing
 
Chap 1 Network Theory & Java Overview
Chap 1 Network Theory & Java OverviewChap 1 Network Theory & Java Overview
Chap 1 Network Theory & Java Overview
 
Scanning and Enumeration in Cyber Security.pptx
Scanning and Enumeration in Cyber Security.pptxScanning and Enumeration in Cyber Security.pptx
Scanning and Enumeration in Cyber Security.pptx
 
lecture5.pptx
lecture5.pptxlecture5.pptx
lecture5.pptx
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101
 
Penetration Testing Boot CAMP
Penetration Testing Boot CAMPPenetration Testing Boot CAMP
Penetration Testing Boot CAMP
 
Slide Deck – Session 9 – FRSecure CISSP
Slide Deck – Session 9 – FRSecure CISSP Slide Deck – Session 9 – FRSecure CISSP
Slide Deck – Session 9 – FRSecure CISSP
 
Packet Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing ConferencePacket Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing Conference
 
Modul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.pptModul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.ppt
 
modul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdfmodul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdf
 
An Toan Thong Tin.pptx
An Toan Thong Tin.pptxAn Toan Thong Tin.pptx
An Toan Thong Tin.pptx
 
Client side exploits
Client side exploitsClient side exploits
Client side exploits
 
metaploit framework
metaploit frameworkmetaploit framework
metaploit framework
 
640-554 IT Certification and Career Paths
640-554 IT Certification and Career Paths640-554 IT Certification and Career Paths
640-554 IT Certification and Career Paths
 
Application Protocol
Application Protocol Application Protocol
Application Protocol
 
For your final step, you will synthesize the previous steps and la
For your final step, you will synthesize the previous steps and laFor your final step, you will synthesize the previous steps and la
For your final step, you will synthesize the previous steps and la
 
Nous Sommes Cyber - HTB Blue
Nous Sommes Cyber - HTB BlueNous Sommes Cyber - HTB Blue
Nous Sommes Cyber - HTB Blue
 

Mehr von Mohammed Adam

Mehr von Mohammed Adam (20)

Android Penetration Testing - Day 3
Android Penetration Testing - Day 3Android Penetration Testing - Day 3
Android Penetration Testing - Day 3
 
Android Penetration testing - Day 2
Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2
 
Android Penetration Testing - Day 1
Android Penetration Testing - Day 1Android Penetration Testing - Day 1
Android Penetration Testing - Day 1
 
Wireless Penetration Testing
Wireless Penetration TestingWireless Penetration Testing
Wireless Penetration Testing
 
Basic Foundation For Cybersecurity
Basic Foundation For CybersecurityBasic Foundation For Cybersecurity
Basic Foundation For Cybersecurity
 
Golden Ticket Attack - AD - Domain Persistence
Golden Ticket Attack - AD - Domain PersistenceGolden Ticket Attack - AD - Domain Persistence
Golden Ticket Attack - AD - Domain Persistence
 
Evading Antivirus software for fun and profit
Evading Antivirus software for fun and profitEvading Antivirus software for fun and profit
Evading Antivirus software for fun and profit
 
Introduction to Network Fundamentals
Introduction to Network FundamentalsIntroduction to Network Fundamentals
Introduction to Network Fundamentals
 
Breaking out of crypto authentication
Breaking out of crypto authenticationBreaking out of crypto authentication
Breaking out of crypto authentication
 
Cybersecurity Awareness Session by Adam
Cybersecurity Awareness Session by AdamCybersecurity Awareness Session by Adam
Cybersecurity Awareness Session by Adam
 
Career Guidance on Cybersecurity by Mohammed Adam
Career Guidance on Cybersecurity by Mohammed AdamCareer Guidance on Cybersecurity by Mohammed Adam
Career Guidance on Cybersecurity by Mohammed Adam
 
Introduction to null villupuram community
Introduction to null villupuram communityIntroduction to null villupuram community
Introduction to null villupuram community
 
Internet security
Internet securityInternet security
Internet security
 
BugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed AdamBugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed Adam
 
Webinar On Ethical Hacking & Cybersecurity - Day2
Webinar On Ethical Hacking & Cybersecurity - Day2Webinar On Ethical Hacking & Cybersecurity - Day2
Webinar On Ethical Hacking & Cybersecurity - Day2
 
OSINT - Open Soure Intelligence - Webinar on CyberSecurity
OSINT - Open Soure Intelligence - Webinar on CyberSecurityOSINT - Open Soure Intelligence - Webinar on CyberSecurity
OSINT - Open Soure Intelligence - Webinar on CyberSecurity
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed Adam
 
Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics
 
What is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolWhat is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) Protocol
 
Network Security
Network SecurityNetwork Security
Network Security
 

KĂĽrzlich hochgeladen

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

KĂĽrzlich hochgeladen (20)

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 

Network Penetration Testing

  • 2. Agenda Network Penetration Testing • Information gathering • Port scanning with Nmap • Vulnerability Assessment with Nessus & OpenVas • Exploiting Network Services & Web Vulnerabilities • Privilege Escalation • Password Cracking with John the Ripper & Hash cat • Clearing the tracks
  • 3. Information gathering • Information gathering requires careful planning, research, and most importantly, the ability to think like an attacker. At this step, you will attempt to collect as much information about the target environment as possible. • There are two types of information gathering: passive and active. 1) Passive information gathering • Using passive information gathering, you can discover information about targets without touching their systems. 2) Active information gathering • In active information gathering, we interact directly with a system to learn more about it. We might conduct port scans for open ports on the target or conduct scans to determine what services are running. Each system or running service that we discover gives us another opportunity for exploitation. • But beware If you get careless while active information gathering, you might be nabbed by an IDS or intrusion prevention system (IPS).
  • 5. Information Gathering in Metasploitable 2 • Since our vulnerable machine running in same network, we can run netdiscover command to check the IP address of Metasploitable 2 Machine
  • 6. Port Scanning with Nmap • Nmap is a network scanner created by Gordon Lyon. • Nmap is used to discover hosts and services on a computer network by sending packets and analyzing the responses. • Nmap provides a number of features for probing computer networks, including host discovery and service and operating system detection • Nmap is a command-line network scanner used to detect hosts and services. • Zenmap is a GUI version of Nmap. • Nmap can be used by hackers to gain access to uncontrolled ports on a system. All a hacker would need to do to successfully get into a targeted system would be to run Nmap on that system, look for vulnerabilities, and figure out how to exploit them.
  • 7. Port Scanning with Nmap (Contd.) • Target Specification • Nmap Scan Techniques • Host Discovery • Port Specification • Service and Version Detection • OS Detection • Timing and Performance • Timing and Performance Switches • NSE Scripts • Useful NSE Script Examples • Firewall / IDS Evasion and Spoofing • Miscellaneous Nmap Flags Reference link: https://www.stationx.net/nmap-cheat-sheet/
  • 8. Port Scanning with Nmap (Contd.) • nmap -p- -sV TargetIP (Scanning for open ports & Service version details)
  • 9. Port Scanning with Nmap (Contd.) • nmap --script vuln -p- TargetIP (Kind of vulnerability Scan)
  • 10. Vulnerability Assessment with Nessus In Nessus scanner Interface • 1) Click on New Scan • 2) Choose the Scan templates • 3) I'm choosing Advanced Scan - Scan template • 4) In Basic -> General -> Give some name & Targets • 5) In Discovery -> Disable Ping • 6) In Port Scan -> give Port scan range from 0-65535 • 7) If you have credentials provide the same - depends on operating system • For Windows authentication -> choose windows • For Linux authentication -> choose SSH • 8) In plugins section -> Disable Denial of Service • 9) Launch the scan • 10) View the results • 11) Export the reports as HTML, PDF, CSV Formats
  • 11. Vulnerability Assessment with Nessus(Contd.) See the results difference between Unauthenticated & Authenticated scans
  • 12. Exploiting Network Services & Web Vulnerabilities FTP – Port 21 • The File Transfer Protocol (FTP) is a standard communication protocol used for the transfer of computer files from a server to a client on a computer network. • FTP is built on a client–server model architecture using separate control and data connections between the client and the server. • Usage: • In Kali terminal - Use FTP Command connect to FTP Server – FTP TargetIP
  • 13. Exploiting VSFTPD 2.3.4 • Use Searchsploit to find the relevant exploit for vulnerable software versions
  • 14. Exploiting VSFTPD 2.3.4 (Contd.) • msf > use exploit/unix/ftp/vsftpd_234_backdoor • msf exploit (unix/ftp/vsftpd_234_backdoor) > set rhost TargetIP • msf exploit (unix/ftp/vsftpd_234_backdoor) > exploit
  • 15. Brute forcing FTP Login • hydra -L user.txt -P pass.txt TargetIP ftp
  • 16. Exploiting Port 22 - SSH SSH – Port 22 • The Secure Shell Protocol is a cryptographic network protocol for operating network services securely over an unsecured network. • Its most notable applications are remote login and command-line execution. • SSH applications are based on a client–server architecture, connecting an SSH client instance with an SSH server. • Usage: • Ssh root@TargetIP
  • 17. Exploiting Port 22 - SSH (Contd.)
  • 18. Exploiting port 23 - TELNET TELNET – Port 23 • Telnet is an application protocol used on the Internet or local area network to provide a bidirectional interactive text-oriented communication facility using a virtual terminal connection. • TELNET is commonly used by terminal emulation programs that allow you to log into a remote host. However, TELNET can also be used for terminal-to-terminal communication and interprocess communication. TELNET is also used by other protocols (for example, FTP) for establishing a protocol control channel. • Usage: Telnet TargetIP TargetPort
  • 19. Exploiting port 23 - TELNET (Contd.)
  • 20. Exploiting port 23 - TELNET (Credential Capture)
  • 21. Exploiting port 23 - TELNET (Contd.)
  • 22. Exploiting Port 25 - SMTP • SMTP – Port 25 • The Simple Mail Transfer Protocol is an Internet standard communication protocol for electronic mail transmission. • Mail servers and other message transfer agents use SMTP to send and receive mail messages. • The client who wants to send the mail opens a TCP connection to the SMTP server and then sends the mail across the connection. The SMTP server is an always-on listening mode. • As soon as it listens for a TCP connection from any client, the SMTP process initiates a connection through port 25. After successfully establishing a TCP connection the client process sends the mail instantly.
  • 23. Exploiting Port 25 - SMTP (Contd.) • smtp-user-enum -M VRFY -U user.txt -t TargetIP
  • 24. Exploiting Port 80 HTTP • Port 80 is the port number assigned to commonly used internet communication protocol, Hypertext Transfer Protocol (HTTP). • It is the default network port used to send and receive unencrypted web pages. • Visit http://metasploitable2IP • Check for hidden directories & files in webserver
  • 25. Exploiting Port 80 HTTP (Contd.)
  • 26. Exploiting Port 80 HTTP (Contd.)
  • 27. Exploiting Port 139 & 445 • SMB is a network file sharing protocol that requires an open port on a computer or server to communicate with other systems. SMB ports are generally port numbers 139 and 445. • Port 139 is used by SMB dialects that communicate over NetBIOS. It operates as an application layer network protocol for device communication in Windows operating systems over a network. For example, printers and serials ports communicate via Port 139. • Port 445 is used by newer versions of SMB (after Windows 2000) on top of a TCP stack, allowing SMB to communicate over the Internet. This also means you can use IP addresses in order to use SMB like file sharing.
  • 28. Exploiting Port 139 & 445 (Contd.) • Early versions of the SMB protocol were exploited during the WannaCry ransomware attack through a zero-day exploit called Eternal Blue. • WannaCry exploited legacy versions of Windows computers that used an outdated version of the SMB protocol. • WannaCry is a network worm with a transport mechanism designed to spread itself automatically. The transport code scans for systems vulnerable to the Eternal Blue exploit and then installs Double Pulsar, a backdoor tool, and executes a copy of itself. • It will then initiate an SMBv1 connection to the device and use buffer overflow to take control of the system and install the ransomware component of the attack.
  • 29. Exploiting Port 139 & 445 (Contd.)
  • 30. Exploiting Port 5432 - Postgres • PostgreSQL is used for Adaptive Authentication (TCP). • Port 5432 is opened for the Postgres database used in the Behavioral Analytics feature of PCS. • While scanning, customers may raise queries on 5432 Port as this port is enabled on the internal interface. However, an attacker cannot connect to it • On some default Linux installations of PostgreSQL, the Postgres service account may write to the /tmp directory and may source UDF Shared Libraries from there as well, allowing execution of arbitrary code
  • 31. Exploiting Port 5432 – Postgres (Contd.)
  • 32. Exploiting Port 6667 - UnrealIRCD • UnrealIRCd is an open-source IRC daemon, originally based on DreamForge, and is available for Unix-like operating systems and Windows. • Once users are connected to an IRC server, they can converse with other users connected to any server in the IRC network • IRC provides for group communication, via named channels, as well as personal communication through “private” messages. • UnrealIRCD backdoor - The remote IRC server is a version of UnrealIRCD with a backdoor that allows an attacker to execute arbitrary code on the affected host.
  • 33. Exploiting Port 6667 - UnrealIRCD
  • 34. Exploiting Port 36255 - distcc • Distcc (Daemon Command Execution) is designed to speed up compilation by taking advantage of unused processing power on other computers. • A machine with distcc installed can send code to be compiled across the network to a computer which has the distccd daemon and a compatible compiler installed. • distcc works as an agent for the compiler.
  • 35. Exploiting Port 36255 – distcc (Contd.)
  • 36. Remote Login Exploitation • A remote login is a tool that was used before ssh came into the picture. Since we have the login credentials for Metasploitable 2, we will be using Rlogin to connect to it, using the “-l” flag to define the login name. (rlogin -l msfadmin TargetIP)
  • 37. Remote Shell Exploitation • Remote shell Protocol is another way to gain a remote shell, it is a legitimate service that we will use to access the target machine with login credentials to run a certain command (rsh -l msfadmin TargetIP ifconfig)
  • 38. Exploiting Distributed Ruby (8787) • Distributed Ruby, also known as dRuby, or DRb, is a distributed object system for the Ruby programming language that allows for remote method calls between Ruby processes, even if they are on different machines. It uses its own protocol and is written entirely in pure Ruby. • This makes for a flexible service that developers can use to enhance certain programs, but it also opens up a security flaw when not properly implemented, such as in older versions of dRuby. • Since this is typically used for smaller projects and novice programs, there usually isn't a lot of concern for security issues.
  • 40. Bind shell Exploitation – Port 1524 • Metasploitable 2 comes with an open bind shell service running on port 1524. We will be using Netcat to connect to it. • nc TargetIP 1524
  • 41. Exploiting Port 5900 - VNC • Virtual Network Computing is a graphical desktop-sharing system that uses the Remote Frame Buffer protocol to remotely control another computer. • It transmits the keyboard and mouse input from one computer to another, relaying the graphical-screen updates, over a network. • This service can be exploited using a module in Metasploit to find the login credentials.
  • 42. Exploiting Port 5900 – VNC (Contd.)
  • 43. Exploiting Port 8180 - Apache Tomcat • Apache Tomcat is a free and open-source implementation of the Jakarta Servlet, Jakarta Expression Language, and Web Socket technologies. • It provides a "pure Java" HTTP web server environment in which Java code can also run. • Thus it's a Java web application server, although not a full JEE application server
  • 44. Exploiting Port 8180 - Apache Tomcat (Contd.)
  • 45. Exploiting Port 3306 - MYSQL • The MySQL database in Metasploitable 2 has negligible security, we will connect to it using the MySQL function of Kali by defining the username and host IP. The password will be left blank.
  • 47. Privilege Escalation via Port 2049: NFS • In this method, we will be creating an ssh key without a passphrase and exchanging it with the ssh key of the victim machine for the root user. • We use ssh-keygen to generate an RSA keypair without a key phrase, then we place it in the “/root/.ssh” folder where the key is found by default. Once the key is created and placed, we will create a directory “/tmp/sshkey/” in our local machine. • We will be mounting the directory we just made on the victim machine using the Network File Sharing Function. Once mounted we write the key from our machine to the victim’s machine, a sort of an override, using the cat command. The thing to keep in mind here is that the key we have is without a passphrase so the after the override the key in the victim machine is also without a passphrase, so when it is connected using ssh, it’s using a blank password.
  • 48. Privilege Escalation via Port 2049: NFS (Contd.) • showmount -e TargetIP • ssh-keygen • mkdir /tmp/sshkey • mount -t nfs TargetIP:/ /tmp/sshkey/ • cat ~/ .ssh/id_rsa.pub >>/tmp/sshkey/root/.ssh/authorized_keys • umount /tmp/sshkey • ssh root@TargetIP
  • 49. Password Cracking with JTR & Hashcat • John the Ripper is a free password cracking software tool. Originally developed for the Unix operating system, it can run on fifteen different platforms. • Hashcat is a password recovery tool. It is a open source software. Examples of Hashcat-supported hashing algorithms are LM hashes, MD4, MD5, SHA-family and Unix Crypt formats • Example Hashes: https://hashcat.net/wiki/doku.php?id=example_hashes
  • 50. Clearing the tracks • The final phase of every successful hacking attack is clearing the tracks. • It is very important, after gaining access and misusing the network, that the attacker cover the tracks to avoid being traced and caught.