Penetration testing tricks
Penetration testing tricks

Let’s quickly walk through some interesting and useful tricks for penetration testing with black box modal approach. This article oriented mostly for external type of pentesting where you have steps of active and passive information gathering about your targets.

For black box type of testing we will need somehow find out tons of information about potential target, so what methods and tools can help us on this step and what information we need to begin ?

Firstly we need to get company name or company website url as a starting point at the beginning of our little adventure. usually such information provided by customers or we may pick any company on our own. But I strictly recommend you not to do any pentesting activities against unknown targets and if it is not mutually agreed with the target technical owner.

Recon: How we can find and gather information

1. We can google almost everything about our target: google dorks against website, search for emails, for information from third party sources. Also we can additionally research social networks like LinkedIn or Facebook for employees and company information. We can search Twitter and Pastebin for possible data leaks and company mentioning.

2. Passive recon though such services like:

  • Shodan, Censys, Zoomeye – to get information about target systems
  • VirusTotal and DNSDumpster, HackerTarget API – get information for reverse dns, subdomains, malware, IP history
  • Pentest-tools, HackerTarget – online scanning tools
  • Web Archive – see old version of the website/specific pages
  • Hunter.io service – get information about company available email addresses

3. Active recon can be done with your own scripts and tools, or tools from Kali Linux distribution:

  • Aquatone – subdomains discovery, reverse lookups (with help of online services mentioned above), subnets discover
  • Dnsenum – checks for AXFR attacks, subdomains finder etc
  • Masscan – quick subnetwork scan for live hosts and open ports
  • Nmap – host scanning for open ports, banners
  • Hping3 – scanning for/against firewalls
  • WhatWeb / Wig – web applications stack detection
  • BlackWidow – web application information gathering
  • theHarvester & Infoga – gathering information about company emails, employees, social network profiles

4. Ask employees

This is not very popular method, but you can try introduce yourself as other company representative (use fake website, social networks profile) or even as a potential customer and ask for some information. Also users can ask companies to provide them with such kind of information like “Security Testing Report”, company of course will not show you all the details but basic understanding of company security level you may get through such reports.

Scanning & Vulnerability Detection

We may quickly assess for security issues company by combining usage of some tools:

  • We can combine usage of Metasploit + Nmap
  • We can combine usage of Metasploit + Nessus
  • Easy to use masscan through web interface
  • We may even build our own simple tool for additional analysis with help of python or php
  • Integrate BurpSuite / ZAProxy with sqlmap or just export our requests history and load file with requests into sqlmap, additionally we can highlight some requests and put them to XSSer to check for possible XSS vulns
  • Sn1per tool usage – it combines both Recon + some intrusive actions (directories enumeration, services detection, authentication bruteforcing, scanning for some kind of vulnerabilities)
  • Finally we may even use such extension for metasploit as Armitage

For your information Nessus has nmap inside and using it for network scanning and open ports detection. But nessus is very useful also during vulnerabilities detection process and is very flexible during configuration process which may extend a bit our possibilities. It will not automatically exploit all findings for you, but you always can send Nessus scan results to metasploit for example and check everything on your own through msfconsole or even armitage.

Results of such penetration testing activities may vary and effectiveness can be low, but in case if you have loads of targets and not much time but need some results and detect some common vulnerabilities – this is the way you can do it faster.

Privilege Escalation, Access Maintaining & Reporting

For privilege escalation and access maintaining you will need to do several things by your hands manually:

  1. Try to detect possible ways of privilege escalation (it is different for Windows and Linux systems)
  2. Find out available exploits
  3. Try to run them

Access maintaining here may even not be required at all, but you always can try to use publicly available and known solutions for web applications (web shells like WSO, PAS and others). For network level and operating systems here better to use scripts based on Perl or Python to perform back-connect actions with help of netcat (nc) tool.

All those actions above will provide you with huge amount of information which you will need to sort during reporting process, so better to start this even at the beginning. Here can be useful such tools like Faraday or Dradis, as it is possible to import results from many tools into this collaboration platforms and later sort them out and even verify real results and exclude false positives. In Faraday you can even apply your own reporting template and in the end get clear report, the only manual thing here will be – configuring scanners and validation of the results, all other process can be automated.

Conclusion

Yes, we can automate for 90% process of vulnerability testing and partly the process of penetration testing, but as we may see – results may be not full or have lots of false positives in case if we going to exclude manual work at all.

I have done lots of projects already, tried many approaches and from my experience – the best and most effective way will be manual penetration testing. Tools as for current situation – can’t do into the logic or sometimes verify properly some of the findings which require a bit more efforts and deeper research.

1 COMMENT

LEAVE A REPLY