3.3 KiB
3.3 KiB
Slide 1: Penetration Testing Process
- Phases of Penetration Testing:
- Pre-engagement (1)
- Agreement on rules of engagement, scope, and objectives.
- Intelligence gathering (2)
- Passive reconnaissance: Information collected without interacting with the target.
- Tools: Search engines, social media, DNSdumpster, etc.
- Active reconnaissance: Information collected by interacting with the target.
- Tools: Nmap, Zenmap, Wireshark, etc.
- Passive reconnaissance: Information collected without interacting with the target.
- Threat modeling (3)
- Identifying potential threats and vulnerabilities in the target system.
- Vulnerability scanning (4)
- Automated testing to identify vulnerabilities in the target system.
- Tools: Nessus, OpenVAS, etc.
- Automated testing to identify vulnerabilities in the target system.
- Exploitation (5)
- Using exploits to gain unauthorized access to the target system.
- Tools: Metasploit, Burp Suite, etc.
- Using exploits to gain unauthorized access to the target system.
- Post-exploitation (6)
- Maintaining access to the target system and gathering sensitive information.
- Tools: Mimikatz, BloodHound, etc.
- Maintaining access to the target system and gathering sensitive information.
- Pre-engagement (1)
Slide 2: Public Exploits
- Finding reliable exploits:
- SecLists (https://seclists.org/)
- Exploit-DB (https://www.exploit-db.com/)
- Offline exploit DB in Kali:
searchsploitcommandsearchsploit <keyword>
Slide 3: Compiling Exploits
- Cross-compiling for Windows:
- Use
gccwith specific flags to compile for Windows.gcc -o exploit.exe exploit.c -m64 -lwininet
- Use
- Lab Activity: Fix and compile
646.cto exploit SLMail on Windows 7 lab machine.
Slide 4: Penetration Testing Execution Standard (PTES)
- Phases of PTES:
- Pre-engagement
- Intelligence gathering
- Threat modeling
- Vulnerability scanning
- Exploitation
- Post-exploitation
- Reporting
Slide 5: Post-Exploitation
- Goals of post-exploitation:
- Determine the value of the compromised machine.
- Maintain control for later use.
- Identify and document sensitive data.
- Set up access methods for later use.
Slide 6: Infrastructure Analysis
| Category | Information to gather |
|---|---|
| Network information | Configuration, interfaces, routing, DNS servers, ARP entries, proxy servers, listening services, neighbour discovery protocols, wireless keys |
| Pillaging | Startup items, login items, security services, file and print shares, databases, source code management systems, virtualisation, messaging systems, backup systems |
| Documents | Spreadsheets, word documents, databases, password files |
| History | Command history, USB activity, web history, patching history; log files, bookmarks |
| Monitoring | Key logging, screen capture, webcam access, network traffic capture |
Slide 7: Escalation and Persistence
- Privilege escalation techniques:
- Exploit higher privileged process.
- Inject into higher privileged DLL.
- Overwrite higher privileged executable file.
- Trojan, rootkits, backdoor account/service.
- Persistence techniques:
- Reverse shell to single IP.
- Backdoor service that survives reboot.
Slide 8: Moving Things Around
- Uploading/downloading files:
- Use FTP with Kali acting as an FTP server.
- Privilege escalation example:
useradd.cexploit for Windows 7 lab machine.
Exercise: Complete the lab activity on privilege escalation using useradd.c and verify high privilege access.