Hello, friend. It’s been a while. The internet has been an ever-expanding and evolving technology that has become a critical part of our lives. As the world becomes more digitalized, so does the risk from external threats to our system and the security of our data. To combat this is a community of professions, like me, that monitor and scan systems searching for areas of vulnerabilities and compromise. Today, I’d like to share some insights with you that have benefited me in this profession.
Allow me to set the back story of my journey, it started when I was eighteen. During my year in this field, it has been a roller coaster ride full of ups, downs, and twists. Roller coasters are not everyone’s cup of tea, some cannot hack it, while others live for the next great ride. “Okay Zab enough of the chitchat, get to your point.” Noted, but before I begin, let me state this disclaimer about the article: this blog post is going to be focused on the technical aspects I’ve learned. Everything mentioned below is for educational purposes only.
Since I began this adventure into the industry of cybersecurity, my driving force was to be a penetration tester. During my journey, I’ve learned various shortcuts, techniques, tricks, and procedures that have managed to shave off substantial time during my engagements. What I’m attempting to showcase is the methodology and mindset I utilize to stay focused, efficient, and effective.
For example, let’s take an IP address or domain name of a site, by utilizing commands such as nslookup, dig, and DNSdumpster.com, I can obtain various open-source data and information about my target(s). This data is the doorway into the house that I’m going to attempt to gain access through. Hopefully, you’ve remembered to lock your doors.
One of my preferred passive tools to utilize when trying to bypass the door is Wappalyzer. It provides me insight into the door’s composition and structure, this is called “enumeration”. It is not always 100%, but accurate enough and I can utilize another tool called “burpsuite” to validate the data stack. It helps to take the time to verify your findings with other resources so as not to leave any trace that anyone was here. Now that I know more about the door, let’s look at the locking mechanism represented by various data input fields and spaces. Can I pick the lock with my favorite lockpicks ‘XSS’ (Cross Site scripting) or ‘SQLi’ (SQL Injection)? Darn, it’s a new lockset, everything is still stiff, so my lockpicks won’t work. None of that is giving me something?
Let’s go and check the back of the house, this scan usually provides some insight into other ways to gain entry. I have a nice little tool that comes in handy with these called ‘gobuster’, most people tend to forget to lock access points on the backside of the house. The first thing I’m going to check is that backdoor or sliding glass door, it’s like an old used lockset ‘login’ all worn out or not even locked. I can possibly see an interesting room from the back of the house that will let me in. Maybe my pick set or passive tools will help me gain entry.
Aside from the above steps, another thing I look out for when trying to get in the house is if I can slip something between the frames, like in the web apps, to trip a latch, this is known as file upload systems. A great tool for this is commonly a shim or slim jim, mine is called ‘reverse shell’, and if that doesn’t work I consider how to bypass the locking mechanism another way, even if I have to damage it. Especially if the screws are on my side and not inside the house, this means that I can dismantle the flange or latch to use another tool. One that I favor is a file upload filter, a client-side filter, and sometimes I disguise it by manually changing the file signature, or use burp suite to assist me in this task.
“Zablon, what if you can’t get into this house then what do you do? I have a whole community of houses and I only need to find one to break into.” What if it’s a condo unit I’m looking at and I can’t gain access to one unit, but can break into the other, who knows maybe I can gain access to the other unit through the attic, this is a ‘pivot’ point for me to get into the other unit. I can easily find this out with my flashlight nmap! Nmap is my ultimate tool for finding out which house I want to get access to. I can give Nmap the tedious tasks of finding out how every house is connected in one go, I can even tell which ones have people present. This way I know which ones I shouldn’t attempt any nearby reconnaissance on, as I may get caught. So, there is a nice tool called a ‘ping scan’ I can use for this. After I confirm which houses are accessible then I use a bunch of other resources for entry. The one problem I had with my light is the bulb was to bright and it took a long time to scan everything, but thats because I did change the bulb or batteries out before going out. Now, I check everything by using special switches/mini-tools are now my go-to, and I will explain what they do and why I use each of them further on.
nmap -sn -vv ipaddr -oN ping_scan.log nmap -sT -vv ipaddr -oN TCP_scan.log nmap -sU -vv ipaddr -oN UDP_scan.log nmap -sN -vv ipaddr -oN Null_session_scan.log nmap -sV -vv ipaddr -oN service_version_scan.log nmap -O -vv ipaddr -oN OS_scan.log
-sn: disables port scan and does a ping scan only. I generally use this when scanning a whole subnet of hosts. It cuts my time by quite a lot. Once I know which houses have people in them, I can focus my efforts on those houses specifically. Depending on the type of compound I’m in, and what I’m looking for, I’ll either use a TCP, UDP, or Null session scan to find the house with people in it. There are more ways to do this scan including a Xmas or a FIN scan, but a TCP scan or a Null session scan is all I’ve ever had to use so far. The difference being that the Null scan will be hard for the person in the house to know what I’m doing.
Once I know which houses are viable and which entry points are possible, I do the last parts of check my access points. I commonly refer to these as ports, for ports of entry. Again I scan this to see how they specifically function and what their intended purpose or services are, and what type of frame, Microsoft, Linux, etc. they are mounted on. This tells me a lot about the various ports, I mean access points which are available. It could have sliding windows, a backdoor, a french door, and so on. Once the initial scanning is done, my next step would be finding a vulnerability on the exterior that I can exploit, more enumeration, or circling back to OSINT again. I can use a trusty tool called searchsploit to see if I have any tools I can use from the Metasploit framework to get into the house using one of the entry points.
If the weakness is vulnerable enough, chances are I can get easy access to the house. If not, I can always look for other ways to get into the house or move on to the next one. Again, I only need one and sometimes it opens doors to others.
If there is an alarm or authentication service installed then I try to circumvent it by either sending an alternate signal to it or confuse it so it recognizes me as someone that is allowed access. A good tool for this is a face mask (get in anonymously) or another tool called hydra with a dictionary (for example, rockyou.txt is a dictionary used for this purpose) so I can send the appropriate signal of someone the house knows.
I look at my watch to see how long I’ve been a this cause I don’t want to be caught here, so I assess the easiest way in through one of the windows, literally if it is a Windows OS, considering if there are bars, grates, screens, dual or single latch. I can use this simple window, or command prompt, with finesse I take my two favorite tools ‘enum4linux’ and ‘smbclient’ to negate the latch(s)…
enum4linux A ipaddr smbclient -L //ipaddr -N
Assuming I have done enough to get some sort of foothold in the system, I would go back to OSINT again to find privilege escalation scripts and get root. Additionally, whatever hashes I find(password and shadow files included), I try to crack using John. However, if the file is too large, I would prioritize on which hash I want to decrypt first.
With a good network connection and a few good moves, I think this can help finish an engagement within a few hours. I hope this article has helped!