Pentesting Methodology Tutorial part 2

HI friends

welcome to the second part of methodology plan :

Attack

If you have done your homework during the Discovery phase then hopefully the initial part of the Attack phase will go smoothly and successfully. In this section we are going to map all the Kali tools to the different parts of the Attack phase of NIST 800-115.
Here is a summary of the Attack phase and its various parts. Keep in mind that we will continue to revisit the Discovery phase throughout the course of the penetration test.

Gaining Access

Kali has several tools that can assist with gaining access to systems and networks. Most people, includiing us, will immediately launch Metasploit however there are several other tools-sets that can be leveraged. To make things a bit more straight forward we have broken these tools-sets out based on various attack vectors.

Password Attacks

Tool/Capability	Description
Hydra/gtk-hydra	Network logon cracker which support many different services.
Dbpwaudit	Is a Java tool that allows you to perform online audits of password quality for several database engines.
Cisco-audit-tool	Script which scans Cisco routers for common vulnerabilities
Onesixtyone	Is an SNMP scanner which utilizes a sweep technique to achieve very high performance.
Acccheck	Script for checking default logins on Windows.
John	Offline dictionary and brute-force cracking tool.
Ophcrack	Is a Windows Password cracker based on Rainbow Tables.

Vulnerability Exploitation

Tool/Capability	Description
Metasploit	Penetration testing and exploitation framework.
Searchsploit	Script used to search Exploit-DB exploits.
Social Engineering Toolkit	An open-source Python-driven tool aimed at penetration testing around Social-Engineering.

Wireless Attacks

Kali Tool /Capability	Description
Aircrack-ng	A 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured.
Fern	A Wireless security auditing and attack software program written using the Python Programming Language and the Python Qt GUI library, the program is able to crack and recover WEP/WPA/WPS keys and also run other network based attacks on wireless or ethernet based networks

Web Attacks

Tool/Capability	Description
Browser Exploitation Framework (BeEF)	A penetration testing tool that focuses on the web browser.
Sqlninja	A tool targeted to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end.
Bbqsql	SQL injection exploitation tool.

Escalating Privilege

Once we have gained user level access to a system, 9 times out of 10 we want to escalate our privilege to gather more sensitive information such as passwords or restricted data. We will usually perform some of the same Discovery phase processes in order to identify and exploit additional vulnerabilities. You will notice that we have repeated several tools from previous tables however we have provided some additional description that are more relevant to this phase of the process.

Tool/Capability	Description
Unix-privesc-check	Unix-privesc-checker is a script that runs on Unix systems (tested on Solaris 9, HPUX 11, Various Linuxes, FreeBSD 6.2).  It tries to find misconfigurations that could allow local unprivilged users to escalate privileges to other users or to access local apps (e.g. databases).
lynis	An auditing tool for Unix (specialists). It scans the system and available software, to detect security issues.
enum4linux	A tool for enumerating information from Windows and Samba systems.
Metasploit	Penetration testing and exploitation framework. Metasploit has several modules that can assist with privilege escalation.
Searchsploit	Script used to search Exploit-DB for local privilege escalation exploits.

System Browsing

Tool/Capability	Description
windows-binaries	Folder in Kali with multiple windows exploits and binaries.
Sbd.exe	An encrypted version of netcat.
nc.exe	Netcat is a computer networking service for reading from and writing to network connections using TCP or UDP. Netcat is designed to be a dependable "back-end" device that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and investigation tool, since it can produce almost any kind of correlation you would need and has a number of built-in capabilities. Netcat is often referred to as a "Swiss-army knife for TCP/IP". Its list of features includes port scanning, transferring files, and port listening, and it can be used as a backdoor.
Metasploit/ Meterpreter	Exploitation framework with additional modules to gather information once compromised.

 

Install Additional Tools

Tool/Capability	Description
atftpd	Linux TFTP daemon that can be used to upload and download files from target systems.
apache	Web server that can be used to deliver additional tools to compromised host.

 

Reporting

Lastly, we need to take all the data from various tools as well as our manual observations and screen-shots to create a report. A typical penetration test report will have two audiences. A non-technical audience that needs enough details to understand the problem and make management level decisions to address the risk (think resources and budget) and the technical audience who will be responsible for mitigating the findings.

Tool/Capability	Description
Dradis	Open-source framework for sharing information during a penetration test. Dradis allows you to output gathered information in HTML and Word.
MagicTree	MagicTree is a penetration tester productivity tool. It is designed to allow easy and straightforward data consolidation, querying, external command execution and (yeah!) report generation.