Georgia Weidman’s PenTest book (Part 3)

3 minute read

I covered another few more chapters into Georgia Weidman’s Penetration Testing book (from chapter 5 up to chapter 8). The main take away for me in these few chapters is the “pentesting methodology” simply put:

1. Gather information (of target)
2. Find weakness (or service/port/software vulnerabilities)
3. Attack it (exploit to gain access; hack!)

Gather Info

Where we use tools to find out details about the target. Netcat, whois, DNS details, searching for public internet profiles, email address. There is this mention of this tool Maltego (an insane tool!) - this can “single app-ly” (single handedly) put all your target information together and piece them together into a single view (or more). It has a GUI with lots of useful functions eg. Tested a simple lookup search on DNS lookup it manage to crawl through an ip to find information about… what webserver, what tools were installed, what api the webserver is using, language it is coded in… The functionality is limited in the free version and I think it can do crazy scary amount of intelligence gathering using the paid version. Understanding the difference in Nmap port scanning options is important especially when to use SYN, UDP or TCP scan. There is this url link which I think will be useful when dealing with Firewalls, some useful Nmap options used to evade detection: https://resources.infosecinstitute.com/nmap-evade-firewall-scripting

Find weakness

Using tools like Nessus, Nmap scripting engine and Nikto. Nikto is golden - it scans for vulnerability in web apps and actually tells you what are the vulnerability you can exploit. Chances of exploiting the vulnerability is high if you are doing a scan on an outdated webserver and Nikto spoons feed you which exploit you can use. Alot in this phase depends on your patience, resourcefulness, research and experience. There’s many useful tools but it doesn’t replace the Alot knowledge of what vulnerabilities are exploitable - there is a pretty awesome example in the book where Georgia showed how an opened unsecured phpMyAdmin page could be used to inject a php “get windows cmd” where attackers can remotely run any windows cmd commands. Self note: don’t discard any possibility of how a vulnerability can be exploited eg. Above using php?get runs to executed a cmd command remotely is possible!

Attack it

My favourite part! We revisited the famous MS08-067 exploit where we attacked the windows XP machine setuped for the hands-on lab using metasploit. Exploited other bunch of vulnerable outdate softwares such as php, WebDAV, open NFS Shares. It looked easy but yet not easy: Using metasploit to gain shell on a remote server is simple here in these example because the Right exploit was used on a Right vulnerability. I’m thinking in real life pentesting, we won’t have cards lay out nicely like this! Also, after gaining remote access into your victim’s machine successfully… Whats next? What do I do now? What should I do? Were questions I had.

What’s next

This should be the post-exploitation part of a pentesting where we continue to maintain the access… or data exfiltration.. Steal something eg. hashdumps (password keys), SAM, ssh keys etc etc.

I really loved the example in the part of chapter 8 where we exploited the Open NFS share using the victim’s ssh folderwhere we create our own ssh keypair, upload the public key into the victim’s machine. Then gain entry by using SSH with our private key (successfully as it has our public key). Alternatively another way to access victim’s machine was copying out the victim’s keypairs and add them into our own attacking machine.

There are too many good stuff in this book and I learnt alot - even though some examples are quite outdated (pretty low chance but not impossible to see an WinXP machine used commercially today) but the approach and concepts behind exploitation is generally similar.