|
blueaxis
|
 |
« on: April 23, 2012, 01:50:20 PM » |
|
PWB course discourages using tools like Nessus and Metasploit for exploting the lab machines. I am fine with it. My question is what should be the approach to find the vulnerabilities. Do you follow any pattern or just go through each service and test them manually? I appreciate if someone can give insights on how much time to spend on each host. The course examples use ftp fuzzing but I am not sure how to apply that technique to other services/ports that are open. Please share your thoughts.
|
|
|
|
|
Logged
|
|
|
|
ajohnson
Recruiters
Hero Member
 Offline
Posts: 1060
aka dynamik
|
|
« Reply #1 on: April 23, 2012, 03:00:04 PM » |
|
Nmap version scanning would give you the most info the quickest. Then just research on exploit-db or the other vuln sites. If you run into problems with the results, you may need to dig a little deeper manually. For example, maybe the banner was changed and that's all nmap reviewed. In the case of a web server, try HTTPrint in addition to nmap.
Also, see if you can find another service that discloses information (i.e. snmp may show ports / processes).
Some may require manual review. Instead of there being a vuln with the web server, maybe you have to explore the web app (view source, etc.) to find the version of the app and see if it has any associated vulnerabilities with that.
I don't think you need to do any fuzzing unless you do the Extra Mile exercises in the exploitation module.
|
|
|
|
|
Logged
|
WIP: GCFA | www.infosiege.net | @infosiege The day you stop learning is the day you start becoming obsolete. |
|
|
|
blueaxis
|
|
« Reply #2 on: April 23, 2012, 06:04:38 PM » |
|
Thanks for posting your inputs. I like your views on the port 80 stuff.
|
|
|
|
|
Logged
|
|
|
|
|
impelse
|
|
« Reply #3 on: April 23, 2012, 06:34:09 PM » |
|
I did to arrive to the lab yet, but I think the fuzzing is good. I am doing the extra mile and you begin to understand how to manage the exploit and modify it. This is showing me a good understanding how to attack machines no just copy and paste tools.
|
|
|
|
|
Logged
|
|
|
|
|
TheXero
|
|
« Reply #4 on: April 24, 2012, 03:59:56 AM » |
|
An important lesson I learnt was to make sure you check UDP ports as well as TCP. Only checking the TCP could mean that you miss a critical vulnerability  |
|
|
|
|
Logged
|
|
|
|
|
j0rDy
|
|
« Reply #5 on: April 24, 2012, 07:07:35 AM » |
|
An important lesson I learnt was to make sure you check UDP ports as well as TCP. Only checking the TCP could mean that you miss a critical vulnerability if you only check TCP you are doing a half penetration test. ALWAYS check UDP! |
|
|
|
|
Logged
|
ISC2 Associate, CEH, ECSA, OSCP, OSWP
earning my stripes appears to be a road i must travel alone...with a little help of EH.net
|
|
|
|
MaXe
|
|
« Reply #6 on: April 24, 2012, 02:19:29 PM » |
|
Hint: TFTP and especially SNMP can be quite big sinners on any network. An important lesson I learnt was to make sure you check UDP ports as well as TCP. Only checking the TCP could mean that you miss a critical vulnerability if you only check TCP you are doing a half penetration test. ALWAYS check UDP! I agree  |
|
|
|
|
Logged
|
I'm an InterN0T'er
|
|
|
|
blueaxis
|
|
« Reply #7 on: April 24, 2012, 04:31:38 PM » |
|
Thanks for sharing your views. I have seen people using the term "Low Hanging Fruit". Any tips how to identify these?
|
|
|
|
|
Logged
|
|
|
|
ajohnson
Recruiters
Hero Member
Offline
Posts: 1060
aka dynamik
|
|
« Reply #8 on: April 24, 2012, 08:43:03 PM » |
|
Thanks for sharing your views. I have seen people using the term "Low Hanging Fruit". Any tips how to identify these?
You're going to have to rely on your intuition and experience here. Think about what *obvious* problems could be present with a given service. Does it require authentication? Maybe blank, default, or easily-guessable credentials are being used. Does the it disclose it's name and version? Check Exploit DB, maybe you can get a root shell by simply providing a script with the target IP address. |
|
|
|
|
Logged
|
WIP: GCFA | www.infosiege.net | @infosiege The day you stop learning is the day you start becoming obsolete. |
|
|
|
blueaxis
|
|
« Reply #9 on: April 24, 2012, 09:01:56 PM » |
|
Thanks very much!
|
|
|
|
|
Logged
|
|
|
|
|
j0rDy
|
|
« Reply #10 on: April 25, 2012, 03:08:54 AM » |
|
low hanging fruit refers to easily hackable hosts. Often these hosts can be hacked using automated attacks like DBautopwn or simple password guessing (root/toor) for example. Other hosts that require more skills are considered harder. My advice is look for the low hanging fruit in the labs first, do not worry about skipping a few hosts because they seem too hard, go for the hosts that seem fun/challenging and have a crack at those.
|
|
|
|
|
Logged
|
ISC2 Associate, CEH, ECSA, OSCP, OSWP
earning my stripes appears to be a road i must travel alone...with a little help of EH.net
|
|
|
|
amol_d
|
|
« Reply #11 on: April 28, 2012, 09:24:08 AM » |
|
WHen i was stuck and did not know how to proceed, I found it useful to look at videos on youtube and securitytube.net to see how others had approached similar problems. g0tmi1k.blogspot.com has a lot of videos as well, although the machines being hacked are totally different, when you see the videos you understand the approach that is taken from info gathering to validating possible vulnerabilities to getting a shell and the final privilege escalation. Once you understand the approach, it should help you progress faster
|
|
|
|
|
Logged
|
OSCP CISSP CSSLP CISA
|
|
|
|
