When a penetration tester gains access to a Windows target, the primary goal is to gather as much information as possible about the environment. This includes performing various awareness checks to identify potential security risks, understand the current security posture, and gather intelligence for privilege escalation or further exploitation. This guide outlines a series of checks, grouped by categories, that should be performed immediately after gaining access to a Windows system.
Gather detailed information about the system, including the operating system version, architecture, and installed patches. This information is crucial for understanding the environment and identifying potential vulnerabilities.
Audit local security policies to understand password policies, user rights assignments, and audit policies, which can provide insights into the security posture of the system.
TCP, as a fundamental protocol, offers options and mechanisms that enhance its functionality across diverse network environments. Understanding these options is crucial for network engineers, security professionals, and system administrators. This primer delves into the key TCP options, such as Maximum Segment Size (MSS), Window Scaling, and Selective Acknowledgments (SACK), as well as essential TCP features like retransmissions, congestion control, and TCP flags. Additionally, it explores the intricacies of TCP window size analysis, padding practices in TCP/UDP, and the implications of TCP options on network performance and security.
TCP provides several options that enhance its functionality and allow for fine-tuning in various network environments. Understanding these options is crucial for optimizing performance and ensuring robust communication.
The Maximum Segment Size (MSS) specifies the maximum segment size that a device is willing to accept, which directly impacts the efficiency of data transfer. MSS values typically vary based on the underlying network's Maximum Transmission Unit (MTU):
Standard Ethernet (1500-byte MTU)
MSS = 1460 bytes. This is the most common MSS for standard Ethernet networks with no additional overhead.
Smaller MSS Values (Indicating VPNs or Tunneling)
MSS = 1400 bytes or lower could indicate the presence of overhead from encapsulation, such as VPN tunneling (e.g., IPsec, GRE) or other types of tunneling that reduce the available space for the TCP segment.
MSS = 1200-1300 bytes is common in some VPN configurations, particularly when multiple layers of encapsulation are used.
MSS = 536 bytes is a default value seen in very old systems or networks with severe MTU restrictions.
Larger MSS Values (Jumbo Frames)
MSS > 1460 bytes is typically seen in environments using jumbo frames, with an MTU around 9000 bytes. Examples include data centers, high-performance computing (HPC), storage area networks (SANs), and virtualized environments where large data volumes are transmitted efficiently.
Continue reading
Look for forms or input fields where user data might be passed to the system. Common examples include search fields, login forms, or any other input that interacts with the backend.
Input a command that could reveal if the system is processing your input. For example, try inputting ; id or && id in the input field.
Submit the form and observe the response. If user identity information is shown in the response, you have identified a command injection vulnerability.
BeEF (Browser Exploitation Framework) is a powerful tool that allows penetration testers to assess the security of browser clients. It uses XSS (Cross-Site Scripting) vulnerabilities to hook the target's browser and control it remotely.
This setting restricts which IP addresses can be hooked by BeEF. It ensures only devices within the specified subnet are targeted, enhancing security by limiting exposure.
A local file inclusion attack is like a guest at a party discovering an unlocked door to the host's private study. Once inside, they rummage through personal files and sensitive documents, taking advantage of the unlocked door to access information not meant for them.
File inclusion vulnerabilities occur when a web application allows users to include files without proper validation. There are two types of file inclusion vulnerabilities: Local File Inclusion (LFI) and Remote File Inclusion (RFI).
Local File Inclusion (LFI): This vulnerability occurs when an attacker can include files that are already present on the server. It is typically exploited to read sensitive files such as configuration files, password files, and logs, which may contain valuable information.
Remote File Inclusion (RFI): This vulnerability occurs when an attacker can include files from remote servers. This can be used to execute malicious code hosted on an external server, potentially leading to a complete server compromise. RFI is often used when attackers do not have other means of access to the target server.
File inclusion vulnerabilities can be used for various purposes, including information disclosure, code execution, and privilege escalation.
You have been tasked with pentesting a WordPress-based web application. Your goal is to identify any vulnerabilities and demonstrate how any findings could be exploited.
File upload vulnerabilities occur when a web application fails to properly validate or sanitize user-uploaded files. This can lead to various security issues, including remote code execution, server-side script execution, and unauthorized access to sensitive data. In this walkthrough, we will explore the process of identifying file upload vulnerabilities in a fictional web application called "PhotoShare," crafting a payload using msfvenom, testing the vulnerability, and presenting the findings in a pentest report.
You have been tasked with pentesting "PhotoShare," a web application that allows users to upload and share photos. Your goal is to identify any file upload vulnerabilities and demonstrate how they can be exploited.
Privilege escalation on a Linux system is about exploiting specific vulnerabilities, misconfigurations, or oversights to gain elevated access — typically root. Even on a hardened system, subtle weaknesses like improperly configured SUID/SGID binaries, world-writable files, or unpatched kernel exploits can provide an attacker with a path to escalate privileges. The process involves thorough enumeration to uncover these opportunities, followed by precise exploitation, whether through command injection, leveraging environment variables, or exploiting vulnerable binaries. Mastery of these techniques allows you to move from basic user access to full system control, a crucial step in both offensive security and system hardening.
Imagine you find a custom binary named /usr/local/bin/backup with the SUID bit set. This binary was intended to perform backups, but it was poorly coded and does not sanitize input properly. It allows you to append additional commands to its execution.
If the backup binary accepts a file name as an argument and directly passes it to a system call like system() or exec(), you can inject commands by adding a semicolon and your desired command.
/usr/local/bin/backup"; /bin/bash -p"
Here, the -p flag preserves the SUID privileges, allowing you to spawn a root shell. This command executes the backup binary, but the semicolon allows you to terminate the expected command and start a new one, effectively giving you a shell with elevated privileges.
Assume you find a script named /usr/local/bin/logsync with the SGID bit set to a privileged group, such as adm (which often has access to system logs). This script is intended to sync log files, but it doesn't properly handle user input and directly passes arguments to a command within the script.
If the script allows you to pass arguments, you could inject a command by manipulating the input. For example.
In this scenario, the script tries to sync /var/log/syslog, but the semicolon terminates the logsync command and then opens a new shell (/bin/bash). The shell inherits the group privileges (e.g., adm), allowing you to read or modify logs that require elevated privileges.
If you find a world-writable directory in a critical path, such as /var/www/html on a web server, you could place a malicious script there if the web server runs with elevated privileges.
Place a malicious PHP script in the web directory to execute a shell.
If the /etc/sudoers file or a file within /etc/sudoers.d/ is writable, you could escalate privileges by modifying it to grant yourself sudo access without a password:
Add a rule to allow your user to execute any command as root without a password:
Script for automating dpkg -l output to run through searchsploit
#!/bin/bash
dpkg-l|awk'{print $2 " " $3}'|whilereadline;dopkg=$(echo$line|awk'{print $1}')ver=$(echo$line|awk'{print $2}')echo"[*] Searching for exploits for $pkg version $ver..."searchsploit"$pkg$ver"done
Similar to dpkg -l, if you find an outdated or vulnerable package:
SQL Injection (SQLi) is an attack that allows execution of arbitrary SQL queries on a database through a vulnerable web application. Imagine a nightclub where the bouncer's job is to verify the age of each guest to ensure they're over 21. Instead of checking IDs properly, the bouncer just glances at whatever is shown and lets everyone in, assuming it's valid. This lack of scrutiny allows individuals who are underage and/or have fake IDs to enter the club, potentially causing trouble.
In the case of SQL injection, the web application (bouncer) is supposed to validate and sanitize user inputs (IDs) to ensure only safe and legitimate queries (guests) interact with the database (club). However, if the application fails to properly check and sanitize these inputs, malicious actors (underage individuals) can inject harmful SQL code (fake IDs) into the query, gaining unauthorized access to sensitive data (entering the club) and potentially causing damage.
This walkthrough demonstrates using SQLMap to exploit a vulnerable URL parameter on a MySQL-based website. Steps include confirming the vulnerability, enumerating databases, and extracting data from the "wordpress" database. The scenario highlights the impact of SQLi vulnerabilities, such as unauthorized data access, and concludes with preparing a pentest report to document findings and recommendations.
In penetration testing, gaining access to internal network resources often requires advanced techniques to bypass firewalls, NAT devices, and other security measures. SSH tunneling and redirection are powerful methods that allow penetration testers to navigate these obstacles. This article will explain these concepts, their real-world applications, and provide practical examples.
SSH tunneling, also known as SSH port forwarding, is a method of creating a secure, encrypted connection between a local and a remote computer through the SSH protocol. This technique can be used to forward traffic from one network port to another, effectively bypassing firewall restrictions and network segmentation.
Imagine you are a penetration tester who has gained initial access to a target network through a compromised external server (Target1_IP). Your goal is to reach internal resources (Target2_IP and Target3_IP) and also provide a reverse connection back to your local machine for further exploitation. To achieve this, you will use an advanced SSH command that sets up multiple tunnels and optimizes connections.
Previously, I wrote a bit about the process of kerberoasting and utilizing Bloodhound and other tools for Windows penetration testing. Because those topics are covered elsewhere, this one will cover different tools and techniques that were not in the kerberoasting post.
For this post, I am continuing an exploit that began from a XSS vulnerability and was exploited through BeEF. It picks up where the BeEf post left off with having just exploited the Windows box with a very unstable Windows shell.
The first step we want to do is get ourselves out of an unstable shell by migrating to a process owned by the user we're impersonating.
Continue reading