In this class, we learned about how to plan out, perform, and conclude a Penetration Test on a company, including writing documentation, performing the test, how to conduct ourselves on a test, and most importantly how to do a test legally. Going along with this the instructor shared with us real-world experiences of his previous penetration tests with in class demonstration in the use of tools we would be using for our assignments.
As part of the Passive Recon portion of the class, we had to find a target (ourselves, someone who gave consent, etc.) and perform reconnaissance on that target, to discover as much information as we can about them. This information includes home address, family members, phone numbers, make of vehicles, ex-family members, place of work, and other such things. I would share my results of that project, but that would be essentially Doxxing someone, so I'm just not gonna do that.
Part of this assignemnt was also to design, write, and mail a believable phishing email to the professor using the Social Engineering Toolkit. The goal of this email was to take the place of an external attacker trying to gain access to a system via the use of a malicious payload that was to be included with the email, or through the use of a malicious link.
As for what I learned from this assignment, I learned that there is a lot more information about me on the internet than I previously thought. It is truly concerning how much someone is able to find out about someone just through some web searches, along with using some tools such as recon-ng. It was very informative and it proved to be a good introduction to the rest of the course. I also learned that it's a lot easier than one would expect to receive a malicious email with very convincing information in it. Always be careful with what's going on on the internet.
As part of the Active Recon portion of the class, we had to establish a network or use the class's Virtual Machines, and perform an active reconnaissance scan against the network involving the use of tools such as NMap, Metaploit, Banner Grabbing using curl, and nikto to scan for vulnerabilities on a website. We used these tools in order to find flaws and vulnerabilities in the systems on the target network for use with the next steps in our penetration test.
Embedded below is the capstone video we had to create and submit for the professor. In the video I perform an NMap Scan, an NMap Scan with Metasploit, and a Nikto scan.
In the end, I learned more about the tools needed to perform an active scan of a network. I would need to perform such a scan so I can discover new hosts on a network, discover weaknesses on those hosts, and hopefully pivot into exploiting those weaknesses.
Futhering the path of escalation comes exploiting hosts using the Local Area Network. This assignment involved learning how to use various tools- in particular for my case Ettercap- to perform an attack on a system on the network. In this unit, methods such as MITM, Impersonation, and Spoofing were discussed, and along with how these would be done. In my demonstration of knowledge for this section I chose to use Ettercap to spoof a website as proof of concept of how an attacker or tester may use MAC and DNS spoofing to serve a fake and malicious webpage with a payload or illegitimate links.
Embedded below is the capstone video for this unit. In the video I perform an Ettercap spoofing attack inside of a virtual environment on a personal webpage, and on a legitmate site.
To conclude, I learned how to perform a spoofing attack on a targeted network, what can be accomplished after the spoof is complete, and along with why the spoofing attack would be done.
Continuing on with our hypothetical penetration test, we started with exploiting the host machines on a virtual network. As part of exploiting the hosts of a network, we used tools such as Metasploit, Mimikatz, and netcat, and made use of delivering payloads via exploits and vulnerabilities, credential stuffing, and password cracking tools. We used Metasploit to find a vulnerability on a host, before exploiting that vulnerability to deploy a netcat instant on the host for remote Command and Control. Following this we dumped the password hashes from the system before downloading them and cracking them offline, or using them to do a Pass-the-Hash attack. All of this was done in order to further our knowledge of how a penetration tester or attacker could exploit and leverage a system to their advantage.
As a part of this assignment, I came up with a theoretical attack on my own home personal network, where I realized that the active dashboard on my home network could be used as a pivot opportunity to the rest of my home network due to the dashboard having a terminal line available on it. The next logical step would have been to learn how to breach the VPN I used to connect to my home network externally, and fully utilize this potential vulnerability.
Embedded below is the capstone video for this unit. In it, I discuss exploiting a Windows Server 2012 system using the EternalBlue exploit, loading netcat onto the system, and using Mimikatz to dump the password hashes for offline cracking elsewhere.
In conclusion, I learned more about how to breach a target system using vulnerabilities on that system, how to pivot to a different system on the network from a compromised system, the feasibility of a password attack, along with the tools used to perform these manoevers.
In this segment we were tasked with exploring, discovering, and enacting multiple different forms of web application attacks against a Metasploitable webserver. These ranged from SQL Injection, Command Injection, Directory Traversal, Remote Code Execution, and others. We demonstrated our knowledge by successfully performing the exploits, and recording our findings via video, which can be found embedded below.
I learned that many web applications may have unintended vulnerabilities from this lesson. Be those poor SQL practices, unsanatized input, or failure to chroot the web directory, a web application can have many vulnerabilities in it that could be exploited to gain access to a system or the information on that system.
For the final unit of the class, we learned how to maintain persistance in a system after the initial compromise. The methods used to maintain persistance including the automatic running of applications, hiding and destroying logs, avoiding detection, disabling of firewall rules, among other things. By doing these procedures, we can keep our presence on a host hidden, allowing us access to the system at anytime. By maintaining persistance we can continue to operate within the target network, enact multistage and multiday plans, siphon data, and generally be dastardly little cretins performing our cretinous activities.
Embedded below is the accompanying video about maintaining persistance. In it I gain access to a system, install a netcat listener, have it start automatically. Open a firewall port, and delete the logs of a system.
I found the class very fun and informative, and it helped my understanding of cybersecurity in the long run. I now understand better just how a system or network can be breached, what can happen during that compromise, and finally, how I can do it for myself if it is necessary to do so. It taught me that the world is a much more dangerous place, and took just that many shades of color away from my rosy glasses. However I am now prepared to participate in a penetration test should the opportunity arise.