Offensive Security 101 Workshop
Types of Assessments
Penetration Testing Process
Traditionally penetration test are broken into various phases as shown below:
Red Team Operations
A red team operation can be defined as "an extended form of engagement conducted over a period of weeks and designed to achieve a set objective such as data exfiltration, and in the process test an organization's detection and response capabilities."
Note if there is no defense than there is no red team. A red teams pure purpose to help strengthen the blue team.
Penetration Testing vs Red Team Engagements
Scheduled security test vs adversarial based assessments
Red Team = Blue Team present and operational
Red Teams sole purpose is to support the Blue Team
A penetration test does not emulate an attacker\, it discovers exploitable vulnerabilities
Chaining of vulnerabilities to demonstrate PoC against vulnerable systems ( Yay to DA!)
In red team engagements operational controls are baselines and stress tested.
Are your sensors working?
What is a Red Team
A red team is an independent group that challenges an organization to improve its effectiveness by assuming an adversarial role or point of view.
It is particularly effective in organizations with strong cultures and fixed ways of approaching problems.
What is a Purple Team?
How are Purple Teams Successful??
A true purple team’s mission should be to provide emphasis not on the remediation of vulnerabilities but rather prevention and detection growth of the organization.
Setting Up Your Lab Machines
Before starting the lab, ensure both of your VMs are imported in VirtualBox/ VMware
Next, confirm both VMs are set to NAT or Host Only for network traffic
Settings > Network > NAT
Settings > Network > Host-Only
Log into your Kali VM using the credentials root:toor
Enter the command ifconfig and write your IP Address down
Log into your metasploitable2 VM using the credentials msfadmin:msfadmin
Enter the command ifconfig and write your IP Address down
Confirm network connectivity between hosts by send a ping command from kali to metasploitable and metasploitable to kali
**Note if you wish to access both VMs using your host terminal simply type: sudo service ssh start on each machine and connect to both over ssh.
OSX/Linux – Terminal
Windows – Putty/CMDER
Passive Recon
Social Mapper
OSINT Social Media Mapping Tool
Maltego
Take your APIs to the next level
Fat Fingers & GitHub
TruffleHog searches through git repositories for secrets.
Creds already available?
pwnedOrNot uses haveibeenpwned v2 api to test email accounts and tries to find the password in Pastebin Dumps
Active Recon
EyeWitness takes screenshots of websites\, provides server header info\, and can identify default credentials if possible.
AWSBucketDump
Dump Those Buckets!
How hard will it be to Phish?
Spoofcheck is a program that checks SPF and DMARC records for weak configurations that allow spoofing.
Enumerate DNS with python
D nsrecon
Open source Intelligence (OSINT)
Recon & Enumeration
Quickly Generate List of Ips for Enumeration
Quick One liners to quickly Ping hosts
TCP Flags overview
SYN = Synchronize = starts a connection between two devices
“Hello\, I want to have a conversation with you”
ACK = Acknowledgement = confirms receipt of a packet
“Got your hello\, I can hear you loud and clear”
URG = Urgent = requests data to be processed immediately
“There’s important data that needs to be handled quickly”
PSH = Push = sends all buffered data immediately
“Don’t hold data waiting for more”
FIN = Finish = no more data is coming
“Thanks for the chat\, goodbye!”
RST = Resets = resets the connection
“There was an error in the communication”
TCP Flags in Wireshark
Using netcat to enumerate ports
Using NETcat & Grep to enumerate open ports
Banner Grabbing with Netcat
Network Mapper - NMAP
Nmap –sV Scan
Nmap –A Scan
Nmap –sV Scan
Hack for 5
Flag #1 – Find out the syntax to output an Nmap scan in a greppable file format?
Flag#2 – What Nmap flag will allow you to manually apply a user agent string to your Nmap scan?
**hint** - manual nmap
Grepping & NMAP
Building a Simple Enumeration Script with BASH, Grep, & CUT
https://github\.com/LibertyUnix/exam_scripts/blob/master/base\-recon\.sh
Building a Simple Enumeration Script with BASH
Banner Grabbing with Netcat
Break
Wireshark
Triggering the Backdoor & Connecting to the Shell
VSFTPD v2.3.4 contains a backdoor that is triggered by entering anystring:) as the username (no password required).
Passing shells with netcat
Transferring data with netcat
Transferring Encoded data with Netcat
Decoding netcat shadow transfer
Risk of clear text communication
Hack for 5
Flag #1 – Find /etc/shadow file being transferred without base 64 encoding
Flag#2 – What is the Wireshark filter to only see traffic originating from the compromised machine?
**hint** - manualnmap
Web applications o my!
Scanning web applications with Nikto
Netcat & dirbuster
Web applications o my!
A non-interactive shell is a shell that can not interact with the user. It’s most often run from a script. This means that .bashrcand .profile are not executed
Python Pseudo-terminal utilities
pty.spawn(argv[\,master_read[\,stdin_read]])
Spawn a process\, and connect its controlling terminal with the current process’s standardio.
This is often used to baffle programs which insist on reading from the controlling terminal
The functionsmaster_readandstdin_readshould be functions which read from a file descriptor.
The defaults try to read 1024 bytes each time they are called
Last updated