Finding ways to gain access to restricted networks or systems might sound difficult at first, but once you have the right approach, it gets easier. Red teamers and pentesters alike all have their own set of techniques and tools that help them along the way. Although there is no one unified utility or framework that does it all, there ARE easy steps to help you successfully penetrate an infrastructure. It usually comes down to the memorable phrase: enumerate, exploit and persist.
You always begin with enumeration, because you need to find out what you are dealing with. Once enumerated, you prioritize the vulnerabilities to decide which ones to focus on, and then continue to exploit them (if there are any). If you manage to infiltrate the system, it is time to plant a backdoor, in case the entrypoint is patched later on. This will enable you to get persistent access into the system afterwards. There are some widely used tools and utilities to help you with these three basic steps so let’s take a look at the most common ones.
Enumeration
Let’s say you want to try and break into a machine which is in the same network as you are. Starting off, you don’t even know if there are any machines in your network. You might not even know what network you are in. So where to start? There are several ways to find out more about both the network and the OS you are working with.
Network
-
ip a- This command will not only give you information about the IP address, but you’ll also find out which networks the system is connected to. -
nmap- Running a quick Nmap scan allows you to enumerate this network. -
nmapscripts - Using the NSE scripts with Nmap to enumerate services allows you to scan different hosts to find vulnerabilities and maybe even brute-force your way in. If you are not familiar with your options, start by runningman nmap. The scripts you can run are located in/usr/share/nmap/scripts/. You can read more about the NSE scripts here or go straight to a list of brute-force scripts.
OS
-
lsb_release -a- Displays information about your Linux OS version.-astands for all, so you’ll get everything there is to see. -
ls -la- Displays a list of files, file permissions and other such information in the filesystem (-aguarantees that hidden files starting with . are displayed as well). -
sudo -l- This command will tell you what kind of sudo permissions are granted to you — that is, you will find out what commands you are allowed to run. -
getent passwd- Shows a list of users in the system. -
ls -l /home/*- Displays a full list of the contents of the home directory.
Exploitation
You have come to the point where you have a good overview of what you’re dealing with. Maybe you were even lucky enough to directly use the outcome of the enumeration in the exploitation phase. Now it’s time to actually get cracking. So how should you get started?
- Version-specific vulnerabilities: Use Google to search for vulnerabilities connected to specific versions of applications or systems you are dealing with.
- Exploitation PoCs: Again, Google is your friend. You can find a sea of potentially suitable proofs of concept from the internet.
- Metasploit: Metasploit is an open-source pentesting framework. It also has a PRO version that you can test out for free. In short, Metasploit consists of various modules serving different purposes — exploit modules, auxiliary modules, payload modules, and so on. It has hundreds of ready-to-use modules, thus, if you can find something that suits your needs, you can save a lot of time and effort.
Post-Exploitation Persistence
Look at you, you managed to stir some trouble. But you don’t plan on leaving just yet, do you? To avoid the possibility that owners of the house might unexpectedly close the window you used to sneak in, it’s smart to leave a backdoor open just in case. Maybe plant some keys while you’re at it. But where to get started?
-
ssh-keygen- This will allow you to create a keypair that you can use later.- Seed public keys into all the servers you hack.
- Add jump hosts with
ProxyJumpinto your SSH config for ease of access later on.
Hint! We were talking about Metasploit modules recently. I wonder if there could be an SSH key module just for this situation as well?
After “owning a box”, you could start enumerating again to see if you can maybe elevate your privileges or find new targets and keep the cycle going. There’s always more to explore.
Conclusion
Once you have your own toolset in place, penetration testing becomes much easier. Just remember, enumerate, exploit and persist.
