# Offensive Security 101 Workshop ## Types of Assessments ### Penetration Testing Process #### Traditionally penetration test are broken into various phases as shown below: ![](/files/-M4B_s231GSqrL2rT8X7) ### Red Team Operations **A red team operation can be defined as "an extended form of engagement conducted over a period of weeks and designed to achieve a set objective such as data exfiltration, and in the process test an organization's detection and response capabilities."** #### Note if there is no defense than there is no red team. A red teams pure purpose to help strengthen the blue team. ### Penetration Testing vs Red Team Engagements * Scheduled security test vs adversarial based assessments * Red Team = Blue Team present and operational * Red Teams sole purpose is to support the Blue Team * A penetration test does not emulate an attacker\\, it discovers exploitable vulnerabilities * Chaining of vulnerabilities to demonstrate PoC against vulnerable systems ( Yay to DA!) * In red team engagements operational controls are baselines and stress tested. * Are your sensors working? ## What is a Red Team A red team is an independent group that challenges an organization to improve its effectiveness by assuming an adversarial role or point of view. It is particularly effective in organizations with strong cultures and fixed ways of approaching problems. ## What is a Purple Team? ### How are Purple Teams Successful?? A true purple team’s mission should be to provide emphasis **not on the remediation** of vulnerabilities but rather **prevention and detection growth** of the organization. ## Setting Up Your Lab Machines * Before starting the lab, ensure both of your VMs are imported in VirtualBox/ VMware * * * Next, confirm both VMs are set to NAT or Host Only for network traffic * Settings > Network > NAT * Settings > Network > Host-Only * Log into your Kali VM using the credentials root:toor * Enter the command ifconfig and write your IP Address down * Log into your metasploitable2 VM using the credentials msfadmin:msfadmin * Enter the command ifconfig and write your IP Address down * Confirm network connectivity between hosts by send a ping command from kali to metasploitable and metasploitable to kali \*\*Note if you wish to access both VMs using your host terminal simply type: **sudo service ssh start** on each machine and connect to both over ssh. * OSX/Linux – Terminal * Windows – Putty/CMDER ## Passive Recon * **Social Mapper** * **OSINT Social Media Mapping Tool** * **Maltego** * **Take your APIs to the next level** * **Fat Fingers & GitHub** * **TruffleHog searches through git repositories for secrets.** * **Creds already available?** * **pwnedOrNot uses** **haveibeenpwned** **v2 api to test email accounts and tries to find the password in Pastebin Dumps** ## Active Recon * **EyeWitness takes screenshots of websites\\, provides server header info\\, and can identify default credentials if possible.** * **AWSBucketDump** * **Dump Those Buckets!** * **How hard will it be to Phish?** * **Spoofcheck is a program that checks SPF and DMARC records for weak configurations that allow spoofing.** * **Enumerate DNS with python** * **D** **nsrecon** ## Open source Intelligence (OSINT) ## Recon & Enumeration ### Quickly Generate List of Ips for Enumeration ### Quick One liners to quickly Ping hosts ### TCP Flags overview * **SYN** = Synchronize = starts a connection between two devices * “Hello\\, I want to have a conversation with you” * **ACK** = Acknowledgement = confirms receipt of a packet * “Got your hello\\, I can hear you loud and clear” * **URG** = Urgent = requests data to be processed immediately * “There’s important data that needs to be handled quickly” * **PSH** = Push = sends all buffered data immediately * “Don’t hold data waiting for more” * **FIN** = Finish = no more data is coming * “Thanks for the chat\\, goodbye!” * **RST** = Resets = resets the connection * “There was an error in the communication” ### TCP Flags in Wireshark ## Using netcat to enumerate ports ## Using NETcat & Grep to enumerate open ports ## Banner Grabbing with Netcat *Network Mapper - NMAP* ## Nmap –sV Scan ## Nmap –A Scan ## Nmap –sV Scan ## Hack for 5 Flag #1 – Find out the syntax to output an Nmap scan in a greppable file format? Flag#2 – What Nmap flag will allow you to manually apply a user agent string to your Nmap scan? \*\*hint\*\* - manual nmap ## Grepping & NMAP ## Building a Simple Enumeration Script with BASH, Grep, & CUT ## Building a Simple Enumeration Script with BASH ## Banner Grabbing with Netcat ## Break ## Wireshark ## Triggering the Backdoor & Connecting to the Shell VSFTPD v2.3.4 contains a backdoor that is triggered by entering **anystring:)** as the username (no password required). ## Passing shells with netcat ## Transferring data with netcat ## Transferring Encoded data with Netcat ## Decoding netcat shadow transfer ## Risk of clear text communication ## Hack for 5 Flag #1 – Find /etc/shadow file being transferred without base 64 encoding Flag#2 – What is the Wireshark filter to only see traffic originating from the compromised machine? \*\*hint\*\* - manualnmap ## Web applications o my! ## Scanning web applications with Nikto ## Netcat & dirbuster ## Web applications o my! A non-interactive shell is a shell that can not interact with the user. It’s most often run from a script. This means that .bashrcand .profile are not executed ## Python Pseudo-terminal utilities * pty.spawn(argv\[\\,master\_read\[\\,stdin\_read]]) * Spawn a process\\, and connect its controlling terminal with the current process’s standardio. * This is often used to baffle programs which insist on reading from the controlling terminal * The functionsmaster\_readandstdin\_readshould be functions which read from a file descriptor. * The defaults try to read 1024 bytes each time they are called --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://blog.dev4cloud.net/talks-and-workshops/untitled.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.