Stellarista's Blog

A part of penetration testing is presenting the findings to clients. Documentation, report preparation, and presentation are important and must be done in a systematic and structured, and consistent manner.

These are the types of reports

1. Executive Report
The executive report is a shorter type of report to the high-level view of pentest output from a business strategy perspective.
These are some basic elements:

• Objective
• Vulnerability risk classification
• Executive summary
• Statistic
• Rise matrix

2. Management Report
The management report is mostly designed to cover issues including regulatory and compliance measurement in terms of target security posture. It should be maid to interest Human Resouce and other management people. These are the key parts:

• Compliance achievement
• Testing methodology
• Assumptions and limitations
• Change management
• Configuration management

3. Technical Report
The technical report will deliberate the vulnerabilities, how they can be exploited, what are the business impact, and how to find the solution.
This type of report is mostly created for those who need to understand the center security that the target system handled. These are the sections:

• Security issues
• Vulnerability map
• Exploits map
• Best practices

Social Engineering Toolkit (SET) is an advanced and easy-to-use computer-assisted social engineering toolset, created by the founders of TrustedSec.

Now, I will try to create a fake login page using SET and credential harvester. The goal is to obtain the email and password of a target.

Open your terminal on Kali Linux, type setoolkit

After that, there will be the main menu. In this case, type 1, because we try to perform a social engineering attack

Then type 2

Type 3, and then 2

Type the Kali IP
Then type the page you want to clone. Make sure it has a login template. In my case, I use facebook.

After that, open the browser and type the IP, and it will display the facebook login page interface.
NOTE: this is not the real page, it is a clone
Then type an email and password example, then click ‘masuk’

Then it will direct to the original page

Open the terminal again, there will be list activities that happened to the cloned page. Scroll down to the username field and password field. It stated the email and the password that inputted before.

The username and password already obtained.

Social engineering is the practice of learning and obtaining valuable information by exploiting human vulnerabilities. On security infrastructure, There are people, process, and technology. People are the weakest link in the security defense of any organization.

Attack Process
1.Intelligence gathering
2.Identifying vulnerable points
3.Planning the attack
4.Execution

Attack methods
1.Impersonation: Pretend to be someone else to gain trust
2.Reciprocation: Exchanging a favor in terms of gaining a mutual advantage
3.Influential authority: Manipulates the target’s business responsibilities

We’ve already learned how to install DVWA, now, let’s try it to search some sites’ vulnerabilities.

This is the DVWA homepage

For a beginner, set the security level to low

Go to command injection. You can ping any IP address or domain from any websites but in my case this time, let’s try google.com. Then click submit.

After that, you’ll see ping results. That means we success accessing it. Then scroll down and see the source code to analyze it.

Now set the security level to medium

Medium Security

High Security
But there is still a vulnerability

Now try it like this

Upload a shell
To put a shell, do to ~hackable/upload directory like the picture bellow.
Then use wget and type the link that consists of the php file for the shell

Go to your hackable/uploads directory and there will be the php file for the shell

Change directory to web root directory (/var/www/html) using the cd command
Then download the file from github using wget command
(https://github.com/ethicalhack3r/DVWA/arch ive/master.zip)

After it fully downloaded, unzip the master.zip

Move the content from directory DVWA-Master to web root directory using mv command
Then change the owner directory to the web root directory using chown -R command
Then check the root directory files using ls -l

Start service web server (apache2) and database (mysql)
service apache2 start ; service mysql start

Then secure the mysql installation
ps awux | egrep “apache|mysql”

Just follow the instruction

Once the operations of information gathering, discovery, and enumeration are complete, it is time to find vulnerabilities that might exist in the target infrastructure.

Vulnerability mapping is the process of identifying and analyzing the critical security flaws in a target environment

Types of vulnerabilities

The three main classes

• Design Vulnerabilities: weakness found in software specifications
• Implementation Vulnerabilities: technical security glitches that found in the code of the system
• Operational Vulnerabilities: rise due to failed configuration and deployment of a system in specific directions

Type of flaws

• Local vulnerability

A condition where the attacker needs local access to trigger vulnerability by executing the code known as local vulnerability

• Remote vulnerability

A condition where the attacker does not have local access but the vulnerability still can be exploited over the network.

WPScan is a black box vulnerability scanner for WordPress site. WordPress is a popular open source content management system. A lot of people use WordPress. That’s why WPScan is necessary.

Now I will try to find the username and password of a WordPress site.
NOTE: This is a site that my father made, I already got permission to perform pentest on the site.

Run Kali Linux and open the terminal, then type wpscan

There are examples of commands of a specific objective.
First, I want to know the admin username of the site, then type
wpscan –url dpadmayacafe.com –enumerate-u 

The censored word is the login admin username.

Next is to find the password. WPScan has a brute forcing option. So I try to brute-force the password. Since I already know the admin, I use the one that has –username
wpscan –url dpadmayacafe.com –wordlist ~text file location  –username ….

Unfortunately, there is a warning after I try to execute the command

It seems that the WordPress site has a plugin than block WPScan. Try to use –random-agent at the end. In most cases, it supposes to work but it does not work on me.

In conclusion, I already got the username, but unable to work the bruteforce.

Google hacking or Google dorking is a hacking technique that use Google search to find security holes in the code that website use. Dorks are keywords used to filter put desired results from Google database.

Now, I want to try the basic parameter that can be used. The goal is to see if the parameters are working.

site:
will show list out information from the website. For example, I tried
site:canva.com and there are lists of links from the website.

filetype:
will list out files with a particular type
In this example, I try to find a pdf file in the canva.com. It will list out pdf files in canva.com.

I click the first link and the pdf file is opened.

inurl: 
will list out the URLs that have a particular word in it. This time I type inurl:templates and it will list out URLs that have the word ‘templates’ in it.

intext:
will list out sites with that have the particular word.

So, those are the basic parameter to google dorking and it worked.
This site also provides many more queries that can be explored.

Identify Target Machines

Ping
to check if the host is available or not
It works by sending an Internet Control Message Protocol (ICMP) echo request packet to the target host. It will reply with ICMP echo reply if the host is available and the firewall is not blocking the ICMP echo request.

type ping and then the destination address

from the screenshot above, there is one ICMP echo request sent to the destination IP and the sending host received one ICMP echo reply packet. Use -c to count the number of echo request to be sent.

OS Fingerprinting

Nmap
a very popular port scanner.
It also can be used to fingerprint a remote machine’s OS.

Using nmap -O IP
Nmap able to provide information about the OS that is used by the machine.

Information gathering is the 2nd phase of the Kali Linux Methodology. In this phase, we collect as much information about our target, such as Domain Name Server (DNS) hostnames, IP address, technologies used, etc. I will deliberate some tools available to collect information of the target.

Public Resources
There are some sources or tool on the internet where you can gather information regarding target domain and it’s open to the public. Here are some of them:
Alexa.com
Contains the database information about the websites.
Archive.org
Contains an archive of a website. You can see the previous website before it gets updated. You might find some vulnerabilities on the old machine. Some admins would likely just kept them.
Robtex.com
For domain and network information

Whois

From the whois command, we get the DNS server and the contact person of the domain which will be very useful later. Other than using a command line, whois can be used through website www.whois.net.

Analyzing DNS records
Find IP address using the host command

As you can see, www.dpadmayacafe.com IP address is 156.67.215.52
You can add -a to query any records.

theharvester
is an email account, username, and hostname gathering tool
If we want to search email accounts and hostnames from a target domain, with maximum 100 results and using google:
theharvester -d domain.com -l 100 -b google