Week 11 : Maintaing Access

18 May 2018

Maintaining Access
(bypass firewall)

1. Protocol Tunneling Protocols (DNS Tunnel)

Method to encapsulate a protocol inside another protocol. The purpose of Protocol Tunneling is to bypass protection at target and stay lowkey in the network.
So to conclude, protocol tunneling means
you are not allowed to access XAMPP package, so try to create Secure Socket Tunneling Protocol (SSTP) first, after establish, put XAMPP package inside the protocol
The metaphor that can be used is North Korea and South Korea
North Korea does not allow people to go to South Korea. But if the people creating a tunnel without being known, they can secretly send ‘package’ or maybe travel to South Korea.
Ex : DNS2tcp. has 2 components server and client

2. Proxy Tools

Proxy is the middle server between 2 parties (client- server)
The purpose of proxy is to hide activities/actions is to secure real server behind proxy(reserve proxy).
In Indonesia, there are so many free open proxy available, we should not recklessly using free proxy, the proxy might be created by law enforcement / government in order to maintain our traffic or activities.

3. End-to-end Connection Tools

End to end connection create a connection between server-client|
The purpose of End-to-end connection is to transfer files from a remote server to client and to execute command in the remote server
Example of this tool is CryptCat, sbd, Socat

4. Create PHP Shell for Backdoor

PHP Shell is to create a small php code to allow execute OS command from browser. This will make sure the hackers can “maintain” their access with the malicious code inside the site without being notice. You can download the PHP Shell from this website http://r57.gen.tr/

Week 9 : Target Exploitation

Target Exploitation
Week 9 (4 May 2018)

1.0 Definition
After founding the Vulnerabilities in the system, tester have to be able to exploit the system as many as possible in the hope of gaining full access or full control and visibility into the network and system therein.

2.0 Tools

2.1 MSFConsole

2.2 MSF for nmap

Week 8 : Social Engineering

Social Engineering
Week 8 (27 April 2018)

1.0 What is social engineering?
Human have weakness and make mistake, social engineering is to find out that weakness that might lead into the website. Social Engineering is the same as vulnerability mapping in real person.

1.1 Human Psychology
We have senses such as sight, hearing, taste, touch, smell, balance, acceleration, temperature, kinesthetic, pain, and direction are parts of human. The goal is to obtain information through human communication face to face or indirect. There are 2 common tactics that can be applied to accomplish the goal, they are Interview and Interrogation. Interrogation means you are going to make the person confess and get Information from those confession while Interview is more neutral. When you Interrogate people, you can use Trust or Fear.

1.2 Attack Process

  1. Intelligence Gathering: gather information as much as possible.
  2. Identifying Vulnerable Points: let’s say we’re about to hack a Bank, we can find vulnerable points by finding the ‘poorest’ branch, usually they don’t have enough training for the employee, and we can social engineering the employee there.
  3. Planning the Attack: try and error and brute force are not bad, but it is better to know what are you gonna do before you actually execute anything (strategy).
  4. Execution

1.3 Attack Methods

  1. Impersonation
  2. Reciprocation : The art of exchanging favors in terms of getting mutual advantage.
  3. Influential Authority : We can impersonate the boss and send a malicious program and tell the staff to execute it.
  4. Scarcity
  5. Social Relationship

2.0 Social Engineering Toolkit

2.1 CUPP
CUPP is tools that is used to create a word list of password specifically for a person, because no matter how unique people are, when it come to password, the patterns are the same. People tend to use password that are easy to remember like birthday, dates, names, or even their pet names.



2.2 SET Tool Kit
SET is Social Engineering tool, the usage is varies. Below is me trying to create a phishing email sending a malicious pdf file.


Week 6 : Vulnerability Mapping (Port Scanning)

Vulnerability Mapping
Week 6 (6 April 2018)

1.0 Port Scanning Definition
There are 3 types of vulnerabilities, Design vulnerability due to the weakness in software specification, Implementation vulnerability which can be found in the security glitches in the code, and Operational Vulnerability is where there is an error in deployment.

Just like the previous post, to scan port, we will learn more about mapping by using Hping and Fping and other tools. Fping is to ping multiple IP addresses simultaneously while Hping is use to manipulate and listen to IP packets.

2.0 Tools

2.1 FPing

2.2 HPing
Hping cheat sheet can be found here. More example can be found here.

2.3 Nikto

Nikto can be use to find the subdomain and the directory aswell.


Week 5 : Enumerating Target

Enumerating Target
Week 5 (23 March 2018)

1.0 Enumerating Target Definition
Enumerating target is where the tester find out about the ports, operating system, and what services is used. Further finds will able the tester to discover the username, password, resources, etc.

2.0 Tools

2.1 NMap
To find out the range of the IP address can be obtained by using command NBTscan. Full list of nmap command, can be seen here. Zenmap is the GUI version of nmap. Nmap is used to scan the port meaning it is able to scan the perimeter network devices and servers from external perspectives (outside your own firewall).

2.2 WPScan

There are also WPScan command to find the vulnerability in plugin, themes, checking user enumeration and even guessing the password in WordPress.

~# wpscan –url domain –enumerate u
Enumerating user

Week 4 : Target Discovery

Target Discovery
Week 4 (16 March 2018)

1.0 Definition of Target Discovery
After gathering many information, we should discover the system the machine use, hence target discovery is needed.

Why do we need to see old record?

  1. Find old scripts

We can find old script which may contains some vulnerable code

  1. Find old admin pages

If we can find old admin page, we can brute force into the system

  1. Find old servers

Because there is some website that does not turn off their old website

2.0 Tools

2.1 Security Trails

Using https://securitytrails.com/dns-trails , we can see the lists of DNS that has been used. For instance, from the website pentest.id we can see the DNS records

2.2 Robtex

Robtex.com  can also be use to find the information of the target.

2.3 CrimeFlare

Crimeflare.com is also can be use to find the real IP behind Cloudflare’s IP Address.

Week 3 : Utilizing Search Engine

Utilizing Search Engine
Week 3 (9 March 2018)

5.0 Utilizing The Search Engine
In Continuation of the previous post(week), hacking can also be done by using search engine, we can use certain keywords / query to find anything that is left behind by sys-admin or web developer.

5.1 Google Hacking
Google hacking can be use to gain sensitive information in google. 
Below is the example how to use google hacking, it’s only recommended that you use it to find your own website.

5.1.1 Database Exploitation
Db Exploit is used to finds specific exploitation in database from somewhere, exploit-db can easily be found in kali linux firefox’s bookmark tab.

5.2 Theharvester
The harvester is a tool to collect email, username, name, etc from the internet, the command used is ~# theharvester -d domainname -b all
All means that the tool will look onto every website (google, pgp, bing). Can also be use to find in social media such as linkedin.

Week 2 : Target Scoping & Information Gathering

Target Scoping & Information Gathering
Week 2 (2 March 2018)

1.0 Definition of Target Scoping
Target scoping is an observational process to gather the target assessment requirements.

2.0 Key Concept of Target Scoping

2.1 Gathering Client Requirement
The purpose of this gathering is to obtain as much information from the client that may be necessary for the penetration testing process

2.2 Prepare Test Plan
Prepare what is necessary and what is not necessary, sign an NDA / Contract with the client.

2.3 Profiling Test Boundaries
Make sure to make an agreement of what is the limitation of the penetration testing such as knowledge and technology.

2.4 Defining Business Objectives
Based on the Requirements, it is important to define what is the business objectives. This means that when the penetration testing is done, what can the company of the client improve? Whether in IT(security) side, financial, etc.

2.5 Project Management & Scheduling
Project management and scheduling also important because penetration tester should finish in time. There are a lot of application and tools to help managing the penetration testing and conclude an outline of how long the process will take.


3.0 Definition of Information Gathering
Information gathering is where the tester gather as many information as possible from the target, like DNS, hostnames, IP Addresses, username, password reset information, secret questions, contact information, etc. Knowledge is power, there is nothing wrong with too much information gathered. Keep in mind that when you gather less info, you can be undetectable. Active scanning can lead to detection or suspicion by someone.

4.0 Information Gathering Tools
Gathering information can be carried out in different ways, using public tools such as search engine, scanners, anything that force the system to leak information.

4.1 Public Resources
Using phone call to ask the information about the company and maybe disguise as the employee there. This step is counted as social engineering.

Search Engine
Search engine can be used to obtain information as well, finding the company email, job title, full name, social media, etc.

One Example is the website whois.net is to find the registrant of the website, pentest.id is my teacher website, he allowed us to practice on the website.

4.2 The Whois Database command
Same as whois.net, whois command ~#whois domainname will also show the information of the registrant of the owner of the domain.

4.3 Host command
Host command is used to find the IP Address of the domain name
~# host domainname
the command -a will look for the A, AAAA, and MX records for the domain
A is IPv4, AAAA is IPv6, and MX is the Mail eXchange record.

4.4 Dig command
Dig command ~# dig dommainname is the same as host, this usually used because more flexible and clear.

4.5 Dnsenum command
Dnsenum is used to collect information from the DNS, command -f and create your own txt file will brute force finding the subdomain of the domain.

4.6 DMitry command
DMitry stands for DeepMagic Information Gathering Tool, this is used like whois tool but this tool also can find subdomain, MX, and open ports.4.7 Tcptraceroute command
The way this tool work is by sending packet to the target. If the port is open, the output will be syn & ack, and rst package if closed.