Pentesting Basics
Common Terms
Shell
On a Linux system, the shell is a program that takes input from the user via the keyboard and passes these commands to the operating system to perform a specific function.
Most Linux systems use a program called Bash (Bourne Again Shell) as a shell program to interact with the operating system.
Bash is an enhanced version of sh, the Unix systems' original shell program. Aside from bash there are also other shells, including but not limited to Zsh, Tcsh, Ksh, Fish shell, etc.
"Getting a shell" on a box (system). This means that the target host has been exploited, and we have obtained shell-level access (typically bash or sh) and can run commands interactively as if we are sitting logged in to the host.
Types of Shell Connections
Reverse shell
Initiates a connection back to a "listener" on our attack box.
Bind shell
"Binds" to a specific port on the target host and waits for a connection from our attack box.
Web shell
Runs operating system commands via the web browser, typically not interactive or semi-interactive. It can also be used to run single commands (i.e., leveraging a file upload vulnerability and uploading a PHP
script to run a single command.
Each type of shell has its use case, and the same way there are many ways to obtain a shell, the helper program that we use to get a shell can be written in many languages (Python, Perl, Go, Bash, Java, awk, PHP, etc.).
Port
A port can be thought of as a window or door on a house (the house being a remote system).
Ports are virtual points where network connections begin and end.
They are software-based and managed by the host operating system.
Ports are associated with a specific process or service and allow computers to differentiate between different traffic types.
Each port is assigned a number, and many are standardized across all network-connected devices (though a service can be configured to run on a non-standard port).
There are two categories of ports, Transmission Control Protocol (TCP), and User Datagram Protocol (UDP).
There are 65,535 TCP ports and 65,535 different UDP ports, each denoted by a number.
TCP
TCP is connection-oriented, meaning that a connection between a client and a server must be established before data can be sent.
UDP
UDP utilizes a connectionless communication model. There is no "handshake" and therefore introduces a certain amount of unreliability since there is no guarantee of data delivery.
UDP is useful when error correction/checking is either not needed or is handled by the application itself.
Common Ports
20/21 (TCP)
FTP
22 (TCP)
SSH
23 (TCP)
Telnet
25 (TCP)
SMTP
80 (TCP)
HTTP
161 (TCP/UDP)
SNMP
389 (TCP/UDP)
LDAP
443 (TCP)
SSL/TLS (HTTPS)
445 (TCP)
SMB
3389 (TCP)
RDP
It is essential for us, especially as pentesters, to have a firm grasp of many TCP and UDP ports and be able to recognize them from just their number quickly
This will come with practice and repetition and eventually become second nature as we attack more boxes, labs, and real-world networks and help us work more efficiently and better prioritize our enumeration efforts and attacks.
Web Servers
A web server is an application that runs on the back-end server, which handles all of the HTTP traffic from the client-side browser, routes it to the requests destination pages, and finally responds to the client-side browser.
Web servers usually run on TCP ports 80 or 443, and are responsible for connecting end-users to various parts of the web application, in addition to handling their various responses.
As web applications tend to be open for public interaction and facing the internet, they may lead to the back-end server being compromised if they suffer from any vulnerabilities.
Web applications can provide a vast attack surface, making them a high-value target for attackers and pentesters.
OWASP Top 10
We will often hear about/see references to the OWASP Top 10. This is a standardized list of the top 10 web application vulnerabilities maintained by the Open Web Application Security Project (OWASP).
This list is considered the top 10 most dangerous vulnerabilities and is not an exhaustive list of all possible web application vulnerabilities.
1
Restrictions are not appropriately implemented to prevent users from accessing other users accounts, viewing sensitive data, accessing unauthorized functionality, modifying data, etc.
2
Failures related to cryptography which often leads to sensitive data exposure or system compromise.
3
User-supplied data is not validated, filtered, or sanitized by the application. Some examples of injections are SQL injection, command injection, LDAP injection, etc.
5
Missing appropriate security hardening across any part of the application stack, insecure default configurations, open cloud storage, verbose error messages which disclose too much information.
6
Using components (both client-side and server-side) that are vulnerable, unsupported, or out of date.
7
Authentication-related attacks that target user's identity, authentication, and session management.
8
Software and data integrity failures relate to code and infrastructure that does not protect against integrity violations. An example of this is where an application relies upon plugins, libraries, or modules from untrusted sources, repositories, and content delivery networks (CDNs).
9
This category is to help detect, escalate, and respond to active breaches. Without logging and monitoring, breaches cannot be detected..
10
SSRF flaws occur whenever a web application is fetching a remote resource without validating the user-supplied URL. It allows an attacker to coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall, VPN, or another type of network access control list (ACL).
Basic Tools
SSH
Secure Shell (SSH) is a network protocol that runs on port 22 by default and provides users such as system administrators a secure way to access a computer remotely.
SSH can be configured with password authentication or passwordless using public-key authentication using an SSH public/private key pair.
SSH uses a client-server model, connecting a user running an SSH client application such as OpenSSH to an SSH server.
Command:
ssh <UserName>@<IP Address>
Example:
ssh Bob@10.10.10.10
NetCat
Netcat, ncat, or nc, is an excellent network utility for interacting with TCP/UDP ports.
It can be used for many things during a pentest but its primary usage is for connecting to shells.
Banner Grapping Command:
netcat <IP Address> <Port Number>
Example:
netcat 10.10.10.10 22
The output will be the banner of the port we interacted with, informing us of the service running.
Windows alternative to netcat coded in PowerShell called PowerCat.
Another similar network utility is socat, which has a few features that netcat does not support, like forwarding ports and connecting to serial devices.
Socat can also be used to upgrade a shell to a fully interactive TTY.
Tmux
Terminal multiplexers, like tmux or Screen, are great utilities for expanding a standard Linux terminal's features, like having multiple windows within one terminal and jumping between them.
To start using tmux, we type
tmux
in our terminal.To use tmux command we type
Ctrl + B
followed by the commandFor example
Ctrl + B
then typingC
will open a new terminal.
Useful commands (
Ctrl + B
followed by the command):C
: opens a new window.\
#
of the window: move to that window.Shift + %
: split horizontally (Left and Right)Shift + "
: split vertically (Up and Down)Arrows
: Move around split windows.
This cheatsheet is a very handy reference.
Vim
Vim is a great text editor that can be used for writing code or editing text files on Linux systems.
We usually find Vim or Vi installed on compromised Linux systems, so learning how to use it allows us to edit files even on remote systems.
Vim also has many other features, like extensions and plugins, which can significantly extend its usage and make for a great code editor.
There are 2 modes for vim, read-only and insert mode.
Once we open a file, we are in read-only normal mode, which allows us to navigate and read the file.
Commands:
vim <File Name>
: Opens a file.i
: Starts insert mode.Esc
: Exits insert mode.:
: Enters to command mode.
Commands (Read-only Mode)
x
Cut character
dw
Cut word
dd
Cut full line
yw
Copy word
yy
Copy full line
p
Paste
We can multiply any command to run multiple times by adding a number before it. For example, 4yw
would copy 4 words instead of one, and so on.
Commands (Command Mode)
:1
Go to line number 1.
:w
Write the file, save
:q
Quit
:q!
Quit without saving
:wq
Write and quit
This cheatsheet is an excellent resource for further unlocking the power of
Vim
.
Service Scanning
Last updated