Disclaimer:
Before we start, I feel the need to write a short disclaimer: remember that these are real hacking tools that should never be used without a formal agreement in place between the parties involved. These posts are meant to be a teaser with the goal of giving you, the reader, a sense of what penetration testing is and what to be aware of when building your applications.
What is a pentest?
A pentest is essentially a simulated cyberattack on a computer system with the purpose of evaluating the security of the system. A pentest can be whitebox, meaning that the attacker has access to background and system information, or blackbox, meaning that the attacker has little or no information about the system.
Why do we pentest?
The UK National Cyber Security Center describes pentesting as
A method for gaining assurance in the security of an IT system by attempting to breach some or all of that system’s security, using the same tools and techniques as an adversary might
Let me start by going over some quick glossary to ensure that we are all on the same page:
- Target: A target is typically a single IP address, but could also be a range of IP addresses.
-
Port: A communication endpoint for the computer, numbered between 0-65535. Ports can be either:
- OPEN (If you send a SYN, you get back a SYN/ACK)
- UNFILTERED (The special ACK scan, used for mapping firewall rule sets, can sometimes return RST. This means that the port is accessible, but we can’t determine if it is open or closed).
- FILTERED (Target is behind some sort of firewall and packets get dropped / no response)
- CLOSED (When you send a SYN, it responds back with a RST).
CVE: Short for “Common Vulnerabilities and Exposures”. This is a method of indexing and referencing publicly known software vulnerabilities. There are roughly between 15,000 - 20,000 new CVEs reported each year.
Phases of a pentest
You should know that there are 5 phases to professional pentesting, namely
- Planning
- Scanning
- Gaining Access
- Persistent Access
- Reporting
In this post, however, I want to focus mainly on phase 2 and 3 since that's where the exciting stuff happens.
2. Scanning
When we scan a target, we are looking for information about which operating system and software might be running on the computer. Scanning for open ports tells us how the target can be interacted with, which often lets us infer a lot of information about the target. This is typically done with a tool called nmap.
A scan could look like the following:
Here we see two open ports, namely port 22 (ssh) and port 80 (http). This indicates that the target is probably hosting one or more websites and has SSH access enabled for remote configuration. We can see it is running OpenSSH 7.4 and the website is Apache httpd 2.4.25. From this information alone, we may start looking for well-known vulnerabilities, also known as CVEs. Mitre has a CVE database (https://cve.mitre.org/) we can look in. A website such as https://www.exploit-db.com/ even goes as far as to provide working code exploits for a lot of known CVEs.
On a different scan we might find a Domain Controller in an Active Directory which would be indicated by ports 53 (dns), 88 (kerberos), 135 (msrpc), 139 (netbios-ssn), 389 (ldap), 445 (file replication service), 464 (kerberos password change), 3268 and 3269 (ldap) being open.
Remember: Scanning the target and enumerating the attack vectors that come to mind is an iterative process and should be done continuously throughout the pentest.
After our initial port scan, we might do more scans depending on what we find. In order to be as effective as possible, and to gather as much information as possible, pentesters are often running multiple scans simultaneously on a target. There are hundreds of tools out there for every service imaginable. Some of the tools worth mentioning are wpscan (https://wpscan.com/wordpress-security-scanner) for Wordpress sites or sqlmap (https://sqlmap.org/) for automatic SQL injection. For a more extensive list of tools check out https://0xcybery.github.io/ehtk/ or https://github.com/enaqx/awesome-pentest
3. Gaining access
This step will vary a lot based on the results of the second phase, but let’s assume a very common case: we see a website on port 80/443.
First, we want to identify which technologies are being used. For this, there are several tools, but we can also poke at it manually.
We could try to..
- Read the source code
- See if we get a hit on a well-known endpoint such as /wp-content/ for Wordpress, /user/login/ for Drupal, or /manager/html for Tomcat.
- Inspect the server responses and look for technologies used. This will sometimes also yield version numbers which makes it easy to look for existing exploits.
If we’re lazy we can use tools such as Nikto, WhatWeb, BuiltWith or Wappalyzer that will analyze which technologies are being used by the website for us.
We can also use tools such as Gobuster to scan websites for subpages.
Gobuster has a ton of features, but we will be using the url parameter and provide it with a wordlist of words to search for. Operating systems such as Kali Linux or ParrotOS come pre-installed with wordlists, but there are plenty of useful wordlists on Github we can use - check out https://github.com/danielmiessler/SecLists. An example of this could be:
Gobuster -u https://site-we-want-to-scan/ -w /path/to/wordlist -t threads -o gobuster_scan_from_website_root
An output could look something like this:
If our wordlist is well-chosen, we now have a good overview of the site, and we can continue our attack based on what we find. As mentioned earlier, enumeration is a continuous process.
With this new information, we could try a gobuster scan on https://site-we-want-to-scan/images, https://site-we-want-to-scan/uploads or https://site-we-want-to-scan/assets to gain more information about which artifacts exist on the site.
Well, this wraps up my first post on penetration testing!
Thank you for reading!
In the next post, I will get more hands-on as I walk you through how I hacked a target from the famous website HackTheBox.
Top comments (0)