vault backup: 2025-03-16 18:59:42

Penetration Testing/Week 21/Public Exploitation Workshop.md

@@ -0,0 +1 @@
+![](Pasted%20image%2020250207142220.png)

Penetration Testing/Week 21/Week 21 - Exploits and Post-Exploitation.md

@@ -0,0 +1,90 @@
+**Slide 1: Penetration Testing Process**
+
+- **Phases of Penetration Testing**:
+  - Pre-engagement (1)
+    - Agreement on rules of engagement, scope, and objectives.
+  - Intelligence gathering (2)
+    - Passive reconnaissance: Information collected without interacting with the target.
+      - Tools: Search engines, social media, DNSdumpster, etc.
+    - Active reconnaissance: Information collected by interacting with the target.
+      - Tools: Nmap, Zenmap, Wireshark, etc.
+  - Threat modeling (3)
+    - Identifying potential threats and vulnerabilities in the target system.
+  - Vulnerability scanning (4)
+    - Automated testing to identify vulnerabilities in the target system.
+      - Tools: Nessus, OpenVAS, etc.
+  - Exploitation (5)
+    - Using exploits to gain unauthorized access to the target system.
+      - Tools: Metasploit, Burp Suite, etc.
+  - Post-exploitation (6)
+    - Maintaining access to the target system and gathering sensitive information.
+      - Tools: Mimikatz, BloodHound, etc.
+
+**Slide 2: Public Exploits**
+
+- **Finding reliable exploits**:
+  - SecLists (<https://seclists.org/>)
+  - Exploit-DB (<https://www.exploit-db.com/>)
+- **Offline exploit DB in Kali**:
+  - `searchsploit` command
+    ```
+    searchsploit <keyword>
+    ```
+
+**Slide 3: Compiling Exploits**
+
+- **Cross-compiling for Windows**:
+  - Use `gcc` with specific flags to compile for Windows.
+    ```
+    gcc -o exploit.exe exploit.c -m64 -lwininet
+    ```
+- **Lab Activity**: Fix and compile `646.c` to exploit SLMail on Windows 7 lab machine.
+
+**Slide 4: Penetration Testing Execution Standard (PTES)**
+
+- **Phases of PTES**:
+  - Pre-engagement
+  - Intelligence gathering
+  - Threat modeling
+  - Vulnerability scanning
+  - Exploitation
+  - Post-exploitation
+  - Reporting
+
+**Slide 5: Post-Exploitation**
+
+- **Goals of post-exploitation**:
+  - Determine the value of the compromised machine.
+  - Maintain control for later use.
+  - Identify and document sensitive data.
+  - Set up access methods for later use.
+
+**Slide 6: Infrastructure Analysis**
+
+| Category | Information to gather |
+| --- | --- |
+| Network information | Configuration, interfaces, routing, DNS servers, ARP entries, proxy servers, listening services, neighbour discovery protocols, wireless keys |
+| Pillaging | Startup items, login items, security services, file and print shares, databases, source code management systems, virtualisation, messaging systems, backup systems |
+| Documents | Spreadsheets, word documents, databases, password files |
+| History | Command history, USB activity, web history, patching history; log files, bookmarks |
+| Monitoring | Key logging, screen capture, webcam access, network traffic capture |
+
+**Slide 7: Escalation and Persistence**
+
+- **Privilege escalation techniques**:
+  - Exploit higher privileged process.
+  - Inject into higher privileged DLL.
+  - Overwrite higher privileged executable file.
+  - Trojan, rootkits, backdoor account/service.
+- **Persistence techniques**:
+  - Reverse shell to single IP.
+  - Backdoor service that survives reboot.
+
+**Slide 8: Moving Things Around**
+
+- **Uploading/downloading files**:
+  - Use FTP with Kali acting as an FTP server.
+- **Privilege escalation example**:
+  - `useradd.c` exploit for Windows 7 lab machine.
+
+**Exercise**: Complete the lab activity on privilege escalation using `useradd.c` and verify high privilege access.