PWB/OSCP course related question

Viewing 11 reply threads
  • Author
    Posts
    • #7537
      blueaxis
      Participant

      PWB course discourages using tools like Nessus and Metasploit for exploting the lab machines. I am fine with it. My question is what should be the approach to find the vulnerabilities. Do you follow any pattern or just go through each service and test them manually? I appreciate if someone can give insights on how much time to spend on each host. The course examples use ftp fuzzing but I am not sure how to apply that technique to other services/ports that are open. Please share your thoughts.

    • #47113
      dynamik
      Participant

      Nmap version scanning would give you the most info the quickest. Then just research on exploit-db or the other vuln sites. If you run into problems with the results, you may need to dig a little deeper manually. For example, maybe the banner was changed and that’s all nmap reviewed. In the case of a web server, try HTTPrint in addition to nmap.

      Also, see if you can find another service that discloses information (i.e. snmp may show ports / processes).

      Some may require manual review. Instead of there being a vuln with the web server, maybe you have to explore the web app (view source, etc.) to find the version of the app and see if it has any associated vulnerabilities with that.

      I don’t think you need to do any fuzzing unless you do the Extra Mile exercises in the exploitation module.

    • #47114
      blueaxis
      Participant

      Thanks for posting your inputs. I like your views on the port 80 stuff.

    • #47115
      impelse
      Participant

      I did to arrive to the lab yet, but I think the fuzzing is good. I am doing the extra mile and you begin to understand how to manage the exploit and modify it. This is showing me a good understanding how to attack machines no just copy and paste tools.

    • #47116
      TheXero
      Participant

      An important lesson I learnt was to make sure you check UDP ports as well as TCP.

      Only checking the TCP could mean that you miss a critical vulnerability 🙂

    • #47117
      j0rDy
      Participant

      @TheXero wrote:

      An important lesson I learnt was to make sure you check UDP ports as well as TCP.

      Only checking the TCP could mean that you miss a critical vulnerability 🙂

      if you only check TCP you are doing a half penetration test. ALWAYS check UDP!

    • #47118
      MaXe
      Participant

      Hint: TFTP and especially SNMP can be quite big sinners on any network.

      @j0rDy wrote:

      @TheXero wrote:

      An important lesson I learnt was to make sure you check UDP ports as well as TCP.

      Only checking the TCP could mean that you miss a critical vulnerability 🙂

      if you only check TCP you are doing a half penetration test. ALWAYS check UDP!

      I agree  ;D

    • #47119
      blueaxis
      Participant

      Thanks for sharing your views. I have seen people using the term “Low Hanging Fruit”. Any tips how to identify these?

    • #47120
      dynamik
      Participant

      @blueaxis wrote:

      Thanks for sharing your views. I have seen people using the term “Low Hanging Fruit”. Any tips how to identify these?

      You’re going to have to rely on your intuition and experience here. Think about what *obvious* problems could be present with a given service. Does it require authentication? Maybe blank, default, or easily-guessable credentials are being used. Does the it disclose it’s name and version? Check Exploit DB, maybe you can get a root shell by simply providing a script with the target IP address.

    • #47121
      blueaxis
      Participant

      Thanks very much!

    • #47122
      j0rDy
      Participant

      low hanging fruit refers to easily hackable hosts. Often these hosts can be hacked using automated attacks like DBautopwn or simple password guessing (root/toor) for example. Other hosts that require more skills are considered harder. My advice is look for the low hanging fruit in the labs first, do not worry about skipping a few hosts because they seem too hard, go for the hosts that seem fun/challenging and have a crack at those.

    • #47123
      amol_d
      Participant

      WHen i was stuck and did not know how to proceed, I found it useful to look at videos on youtube and securitytube.net to see how others had approached similar problems. g0tmi1k.blogspot.com has a lot of videos as well, although the machines being hacked are totally different, when you see the videos you understand the approach that is taken from info gathering to validating possible vulnerabilities to getting a shell and the final privilege escalation. Once you understand the approach, it should help you progress faster

Viewing 11 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?