I. Assessment Methodologies : Information Gathering......................................................5
1) Passive information gathering........................................................................................5
2) Active information gathering...........................................................................................6
a) DNS Zone Transfer.................................................................................................. 6
b) Host Discovery with nmap........................................................................................7
c) Port Scanning with nmap......................................................................................... 7
II. Assessment Methodologies : Footprinting & Scanning................................................ 8
1) Network Mapping........................................................................................................... 8
2) Port scanning................................................................................................................. 8
III. Assessment Methodologies : Enumeration................................................................... 9
1) SMB............................................................................................................................... 9
A) SMB Windows Discover and Mount........................................................................ 9
B) Nmap scripts (enumeration)...................................................................................11
C) SmbMap................................................................................................................ 12
D) SMB sur linux : Samba (port 445)......................................................................... 12
E) SMB Dictionary Attack........................................................................................... 13
2) FTP.............................................................................................................................. 14
3) SSH..............................................................................................................................15
a) Enumeration........................................................................................................... 15
b) bruteforce............................................................................................................... 15
4) HTTP reconnaissance..................................................................................................16
5) SQL.............................................................................................................................. 17
A) MySQL database Enumeration..............................................................................17
B) MySql Dictionary attack......................................................................................... 19
C) Microsoft SQL server énumération........................................................................ 19
D) MsSql enum & bruteforce...................................................................................... 20
IV. Assessment Methodologies : Vulnerability Assessment............................................21
V. Host & Network Penetration Testing : System/Host Based Attacks........................... 22
1) Windows vulnerabilities exploitation.............................................................................22
A) Exploiting WebDAV running on a Microsoft IIS server by uploading a webshell... 22
B) Exploiting WebDAV running on a Microsoft IIS server with Metasploit.................. 24
C) Exploiting SMB with PsExec..................................................................................25
D) Exploiting MS17-010 SMB vulnerability.................................................................26
E) Exploiting RDP.......................................................................................................26
F) Exploiting Windows CVE 2019-0708 RDP vulnerability (BlueKeep)......................27
G) Exploiting WinRM with crackmapexec, Evil WinRM, & Msf...................................27
2) Windows privilege escalation....................................................................................... 28
A) Kernel exploitation................................................................................................. 28
B) Bypassing UAC with UACMe.................................................................................29
C) Windows Access token impersonation.................................................................. 31
3) Windows file system Vulnerabilities : Alternate Data Streams..................................... 32
4) Windows Credential Dumping......................................................................................33
A) Searching for passwords in windows configuration files (Unattend.xml)............... 33
, B) Dumping Hashes with Mimikatz.............................................................................35
C) Pass the hash with MSF PsExec module & Crackmapexec................................. 36
5) Linux vulnerabilities exploitation...................................................................................37
A) Exploiting Shellshock CVE-2014-6271.................................................................. 37
B) Exploiting FTP....................................................................................................... 41
C) Exploiting SSH.......................................................................................................42
D) Exploiting SAMBA................................................................................................. 43
6) Linux privilege escalation............................................................................................. 43
B) Exploiting Misconfigured Cron Jobs...................................................................... 45
C) Exploiting SUID Binaries....................................................................................... 46
7) Linux passwords hashes Dumping.............................................................................. 47
VI. Host & Network Penetration Testing : Network Based Attacks..................................49
1) Tshark basics and filters...............................................................................................49
2) ARP Poisoning............................................................................................................. 50
VII. Host & Network Penetration Testing : The Metasploit Framework........................... 51
1) Overview, installation & fundamentals......................................................................... 51
2) Information Gathering & Enumeration..........................................................................55
A) Nmap & MSF......................................................................................................... 55
B) Port scanning with auxiliary modules & Pivoting................................................... 55
C) FTP enumeration & bruteforce.............................................................................. 56
D) SMB Enumeration & bruteforce............................................................................. 57
E) Web server enumeration & bruteforce................................................................... 57
F) MySQL enum & bruteforce.................................................................................... 58
G) SSH Enum & bruteforce........................................................................................ 60
H) SMTP Enum.......................................................................................................... 61
3) Vulnerability Scanning with MSF..................................................................................61
A) Metasploitable 3 manual vulnerability scanning.................................................... 61
B) Nessus with MSF................................................................................................... 63
C) Web Apps vulnerability scanning with WMAP....................................................... 65
4) Client-Side attacks....................................................................................................... 66
A) Generating payloads with Msfvenom & Transferring payload & Setup a listener.. 66
B) Encoding payloads with Msfvenom....................................................................... 67
C) Injecting encoded payloads into Windows Portable Executables..........................67
D) Automating MSF with resource scripts.................................................................. 69
5) Windows Exploitation................................................................................................... 70
A) Exploiting a vulnerable HTTP File server (HFS) : Rejetto..................................... 70
B) Exploiting SMB with Eternal Blue.......................................................................... 70
C) Exploiting WinRM.................................................................................................. 71
D) Exploiting a vulnerable Apache Tomcat Web Server.............................................73
6) Linux Exploitation......................................................................................................... 75
A) Exploiting a vulnerable FTP server (vsftpd) & upgrade shell to meterpreter......... 75
B) Exploiting Samba v3.5.0........................................................................................ 75
C) Exploiting a vulnerable SSH server (libssh V0.6.0 - 0.8.0)....................................76
D) Exploiting a vulnerable SMTP Server.................................................................... 77
, 7) Post exploitation fundamentals.................................................................................... 77
8) Windows post exploitation (privileges escalation, persistence & clearing traces)........80
A) Windows post exploitation modules & Meterpreter commands............................. 80
B) Windows Privilege Escalation : Bypassing UAC....................................................83
C) Windows Privilege Escalation : Token Impersonation with Incognito.................... 84
D) Dumping hashes & clear text passwords with Mimicatz & Kiwi............................. 86
E) Pass the hash with Psexec MSF module via SMB................................................ 87
F) Establishing persistence on Windows....................................................................88
G) Enabling RDP........................................................................................................ 88
H) Windows Keylogging............................................................................................. 89
I) Clearing Windows Event logs................................................................................. 90
J) Pivoting & port forwarding...................................................................................... 90
9) Linux Post exploitation (privileges escalation, dumping hashes & persistence).......... 93
A) Linux post exploitation modules.............................................................................93
B) Linux privileges escalation : Exploiting a vulnerable program (chkrootkit)............ 96
C) Dumping hashes with Hashdump MSF module & other post exploitation modules..
98
D) Establishing persistence on linux.......................................................................... 99
10) Armitage : Port scanning, enumeration, exploitation, post exploitation & pivoting...101
VIII. Host & Network Penetration Testing : Exploitation................................................. 111
1) Vulnerability scanning.................................................................................................111
A) Banner grabbing (SSH target)..............................................................................111
B) Vulnerability scanning with Nmap scripts (HTTP target)...................................... 111
C) Vulnerability scanning with MSF (SMB target).....................................................112
2) Exploits.......................................................................................................................113
A) Searching for publicly available exploits.............................................................. 113
B) Searching for exploits with searchsploit............................................................... 113
C) Fixing exploits...................................................................................................... 114
D) Cross-compiling exploit........................................................................................115
3) Shells..........................................................................................................................117
A) Netcat fundamentals............................................................................................ 117
B) Bind shells with nc................................................................................................119
C) Reverse shells with nc......................................................................................... 120
D) Reverse shell Cheat Sheet..................................................................................120
4) Frameworks............................................................................................................... 122
A) MSF..................................................................................................................... 122
B) Powershell empire............................................................................................... 124
5) Windows exploitation - black box pentest scenario....................................................124
A) Port scanning & enumeration.............................................................................. 124
B) Targeting microsoft IIS FTP................................................................................. 126
C) Targeting OpenSSH.............................................................................................128
D) Targeting SMB..................................................................................................... 128
E) Targeting MySQL database server...................................................................... 130
6) Linux exploitation - black box pentest scenario..........................................................134
, A) Port scanning & enumeration.............................................................................. 134
B) Targeting vs FTPd................................................................................................136
C) Targeting PHP..................................................................................................... 136
D) Targeting SAMBA................................................................................................ 138
7) Obfuscation................................................................................................................ 139
IX. Host & Network Penetration Testing : Post Exploitation.......................................... 141
1) Windows local enumeration....................................................................................... 141
A) Enumerating system information......................................................................... 141
B) Enumerating users and groups............................................................................142
C) Enumerating network information (Important pour pivoting)................................143
D) Enumerating processes and services & scheduled tasks................................... 143
E) Automating windows local enumeration.............................................................. 144
2) Linux local enumeration............................................................................................. 147
A) Enumerating system information......................................................................... 147
B) Enumerating users & groups............................................................................... 147
C) Enumerating network information (pivoting)........................................................ 147
D) Enumerating processes & Cron jobs................................................................... 148
E) Automating linux local enumeration.....................................................................148
3) Transferring files to windows & linux targets.............................................................. 150
A) Setting up a Web server with Python...................................................................150
B) Transferring files to windows targets................................................................... 150
C) Transferring files to linux targets..........................................................................150
4) Upgrading shells........................................................................................................ 150
5) Windows privileges escalation................................................................................... 151
A) Identifying Windows Privilege Escalation Vulnerabilities..................................... 151
B) Windows privileges escalation (Suite du A) > Winlogon).....................................152
6) Linux privileges escalationlation.................................................................................153
A) Weak permissions................................................................................................153
B) SUDO privileges.................................................................................................. 154
7) Persistence................................................................................................................ 154
A) Windows persistence via services....................................................................... 154
B) Windows persistence via RDP with a backdoor user.......................................... 155
C) Linux persistence via SSH keys.......................................................................... 155
D) Linux persistence via Cron Jobs..........................................................................155
8) Dumping & cracking................................................................................................... 156
A) Dumping & cracking Windows NTLM hashes......................................................156
B) Dumping & cracking Linux password hashes...................................................... 157
9) Pivoting & port forwarding.......................................................................................... 158
X. Web Application Penetration Testing : Intro to the Web and HTTP Protocol.......... 159
1) HTTP Method Enumeration with Curl........................................................................ 159
2) Directory enumeration with Gobuster.........................................................................160
3) Scanning web application with Nikto..........................................................................161
4) Attacking HTTP Login Form with Hydra.....................................................................162
1) Passive information gathering........................................................................................5
2) Active information gathering...........................................................................................6
a) DNS Zone Transfer.................................................................................................. 6
b) Host Discovery with nmap........................................................................................7
c) Port Scanning with nmap......................................................................................... 7
II. Assessment Methodologies : Footprinting & Scanning................................................ 8
1) Network Mapping........................................................................................................... 8
2) Port scanning................................................................................................................. 8
III. Assessment Methodologies : Enumeration................................................................... 9
1) SMB............................................................................................................................... 9
A) SMB Windows Discover and Mount........................................................................ 9
B) Nmap scripts (enumeration)...................................................................................11
C) SmbMap................................................................................................................ 12
D) SMB sur linux : Samba (port 445)......................................................................... 12
E) SMB Dictionary Attack........................................................................................... 13
2) FTP.............................................................................................................................. 14
3) SSH..............................................................................................................................15
a) Enumeration........................................................................................................... 15
b) bruteforce............................................................................................................... 15
4) HTTP reconnaissance..................................................................................................16
5) SQL.............................................................................................................................. 17
A) MySQL database Enumeration..............................................................................17
B) MySql Dictionary attack......................................................................................... 19
C) Microsoft SQL server énumération........................................................................ 19
D) MsSql enum & bruteforce...................................................................................... 20
IV. Assessment Methodologies : Vulnerability Assessment............................................21
V. Host & Network Penetration Testing : System/Host Based Attacks........................... 22
1) Windows vulnerabilities exploitation.............................................................................22
A) Exploiting WebDAV running on a Microsoft IIS server by uploading a webshell... 22
B) Exploiting WebDAV running on a Microsoft IIS server with Metasploit.................. 24
C) Exploiting SMB with PsExec..................................................................................25
D) Exploiting MS17-010 SMB vulnerability.................................................................26
E) Exploiting RDP.......................................................................................................26
F) Exploiting Windows CVE 2019-0708 RDP vulnerability (BlueKeep)......................27
G) Exploiting WinRM with crackmapexec, Evil WinRM, & Msf...................................27
2) Windows privilege escalation....................................................................................... 28
A) Kernel exploitation................................................................................................. 28
B) Bypassing UAC with UACMe.................................................................................29
C) Windows Access token impersonation.................................................................. 31
3) Windows file system Vulnerabilities : Alternate Data Streams..................................... 32
4) Windows Credential Dumping......................................................................................33
A) Searching for passwords in windows configuration files (Unattend.xml)............... 33
, B) Dumping Hashes with Mimikatz.............................................................................35
C) Pass the hash with MSF PsExec module & Crackmapexec................................. 36
5) Linux vulnerabilities exploitation...................................................................................37
A) Exploiting Shellshock CVE-2014-6271.................................................................. 37
B) Exploiting FTP....................................................................................................... 41
C) Exploiting SSH.......................................................................................................42
D) Exploiting SAMBA................................................................................................. 43
6) Linux privilege escalation............................................................................................. 43
B) Exploiting Misconfigured Cron Jobs...................................................................... 45
C) Exploiting SUID Binaries....................................................................................... 46
7) Linux passwords hashes Dumping.............................................................................. 47
VI. Host & Network Penetration Testing : Network Based Attacks..................................49
1) Tshark basics and filters...............................................................................................49
2) ARP Poisoning............................................................................................................. 50
VII. Host & Network Penetration Testing : The Metasploit Framework........................... 51
1) Overview, installation & fundamentals......................................................................... 51
2) Information Gathering & Enumeration..........................................................................55
A) Nmap & MSF......................................................................................................... 55
B) Port scanning with auxiliary modules & Pivoting................................................... 55
C) FTP enumeration & bruteforce.............................................................................. 56
D) SMB Enumeration & bruteforce............................................................................. 57
E) Web server enumeration & bruteforce................................................................... 57
F) MySQL enum & bruteforce.................................................................................... 58
G) SSH Enum & bruteforce........................................................................................ 60
H) SMTP Enum.......................................................................................................... 61
3) Vulnerability Scanning with MSF..................................................................................61
A) Metasploitable 3 manual vulnerability scanning.................................................... 61
B) Nessus with MSF................................................................................................... 63
C) Web Apps vulnerability scanning with WMAP....................................................... 65
4) Client-Side attacks....................................................................................................... 66
A) Generating payloads with Msfvenom & Transferring payload & Setup a listener.. 66
B) Encoding payloads with Msfvenom....................................................................... 67
C) Injecting encoded payloads into Windows Portable Executables..........................67
D) Automating MSF with resource scripts.................................................................. 69
5) Windows Exploitation................................................................................................... 70
A) Exploiting a vulnerable HTTP File server (HFS) : Rejetto..................................... 70
B) Exploiting SMB with Eternal Blue.......................................................................... 70
C) Exploiting WinRM.................................................................................................. 71
D) Exploiting a vulnerable Apache Tomcat Web Server.............................................73
6) Linux Exploitation......................................................................................................... 75
A) Exploiting a vulnerable FTP server (vsftpd) & upgrade shell to meterpreter......... 75
B) Exploiting Samba v3.5.0........................................................................................ 75
C) Exploiting a vulnerable SSH server (libssh V0.6.0 - 0.8.0)....................................76
D) Exploiting a vulnerable SMTP Server.................................................................... 77
, 7) Post exploitation fundamentals.................................................................................... 77
8) Windows post exploitation (privileges escalation, persistence & clearing traces)........80
A) Windows post exploitation modules & Meterpreter commands............................. 80
B) Windows Privilege Escalation : Bypassing UAC....................................................83
C) Windows Privilege Escalation : Token Impersonation with Incognito.................... 84
D) Dumping hashes & clear text passwords with Mimicatz & Kiwi............................. 86
E) Pass the hash with Psexec MSF module via SMB................................................ 87
F) Establishing persistence on Windows....................................................................88
G) Enabling RDP........................................................................................................ 88
H) Windows Keylogging............................................................................................. 89
I) Clearing Windows Event logs................................................................................. 90
J) Pivoting & port forwarding...................................................................................... 90
9) Linux Post exploitation (privileges escalation, dumping hashes & persistence).......... 93
A) Linux post exploitation modules.............................................................................93
B) Linux privileges escalation : Exploiting a vulnerable program (chkrootkit)............ 96
C) Dumping hashes with Hashdump MSF module & other post exploitation modules..
98
D) Establishing persistence on linux.......................................................................... 99
10) Armitage : Port scanning, enumeration, exploitation, post exploitation & pivoting...101
VIII. Host & Network Penetration Testing : Exploitation................................................. 111
1) Vulnerability scanning.................................................................................................111
A) Banner grabbing (SSH target)..............................................................................111
B) Vulnerability scanning with Nmap scripts (HTTP target)...................................... 111
C) Vulnerability scanning with MSF (SMB target).....................................................112
2) Exploits.......................................................................................................................113
A) Searching for publicly available exploits.............................................................. 113
B) Searching for exploits with searchsploit............................................................... 113
C) Fixing exploits...................................................................................................... 114
D) Cross-compiling exploit........................................................................................115
3) Shells..........................................................................................................................117
A) Netcat fundamentals............................................................................................ 117
B) Bind shells with nc................................................................................................119
C) Reverse shells with nc......................................................................................... 120
D) Reverse shell Cheat Sheet..................................................................................120
4) Frameworks............................................................................................................... 122
A) MSF..................................................................................................................... 122
B) Powershell empire............................................................................................... 124
5) Windows exploitation - black box pentest scenario....................................................124
A) Port scanning & enumeration.............................................................................. 124
B) Targeting microsoft IIS FTP................................................................................. 126
C) Targeting OpenSSH.............................................................................................128
D) Targeting SMB..................................................................................................... 128
E) Targeting MySQL database server...................................................................... 130
6) Linux exploitation - black box pentest scenario..........................................................134
, A) Port scanning & enumeration.............................................................................. 134
B) Targeting vs FTPd................................................................................................136
C) Targeting PHP..................................................................................................... 136
D) Targeting SAMBA................................................................................................ 138
7) Obfuscation................................................................................................................ 139
IX. Host & Network Penetration Testing : Post Exploitation.......................................... 141
1) Windows local enumeration....................................................................................... 141
A) Enumerating system information......................................................................... 141
B) Enumerating users and groups............................................................................142
C) Enumerating network information (Important pour pivoting)................................143
D) Enumerating processes and services & scheduled tasks................................... 143
E) Automating windows local enumeration.............................................................. 144
2) Linux local enumeration............................................................................................. 147
A) Enumerating system information......................................................................... 147
B) Enumerating users & groups............................................................................... 147
C) Enumerating network information (pivoting)........................................................ 147
D) Enumerating processes & Cron jobs................................................................... 148
E) Automating linux local enumeration.....................................................................148
3) Transferring files to windows & linux targets.............................................................. 150
A) Setting up a Web server with Python...................................................................150
B) Transferring files to windows targets................................................................... 150
C) Transferring files to linux targets..........................................................................150
4) Upgrading shells........................................................................................................ 150
5) Windows privileges escalation................................................................................... 151
A) Identifying Windows Privilege Escalation Vulnerabilities..................................... 151
B) Windows privileges escalation (Suite du A) > Winlogon).....................................152
6) Linux privileges escalationlation.................................................................................153
A) Weak permissions................................................................................................153
B) SUDO privileges.................................................................................................. 154
7) Persistence................................................................................................................ 154
A) Windows persistence via services....................................................................... 154
B) Windows persistence via RDP with a backdoor user.......................................... 155
C) Linux persistence via SSH keys.......................................................................... 155
D) Linux persistence via Cron Jobs..........................................................................155
8) Dumping & cracking................................................................................................... 156
A) Dumping & cracking Windows NTLM hashes......................................................156
B) Dumping & cracking Linux password hashes...................................................... 157
9) Pivoting & port forwarding.......................................................................................... 158
X. Web Application Penetration Testing : Intro to the Web and HTTP Protocol.......... 159
1) HTTP Method Enumeration with Curl........................................................................ 159
2) Directory enumeration with Gobuster.........................................................................160
3) Scanning web application with Nikto..........................................................................161
4) Attacking HTTP Login Form with Hydra.....................................................................162
