The six steps/stages of a PenTest…

1. Pre-Engagement: Planning & Scope
2. Recon: Information Gathering
3. Scanning
4. Exploitation
5. Post-Exploitation
6. Post-Engagement: Report

Outline of the Scanning Stage:

1. Initial Interrogation: ping the IPs to see if they are online (ping sweep).
2. Port Scan: Nmap (and maybe Naabu, etc.)
3. Further Interrogation: NSE
4. Vulnerability Scanning: Nessus, OpenVAS, et al.
5. GOAL: Enumeration (prioritized list of vulnerabilities)

Scanning Philosophy: “Fast and wide first; slow and narrow later.”

Enumeration is essential for an attack to be successful, as wasting time with exploits that either do not work or can crash the system can be a waste of energy.

• It is important to try every angle when enumerating, as the information you gather here will inform your exploitation stage.

Find Target IPs: We need to scan the network we are on to see what IP our target host has been assigned:

1. Option #1: netdiscover
2. Option #2: arp-scan
3. Option #3: nmap ping sweep

Syntax: netdiscover -r 192.168.0.0/24 # r, range 192.168.0.0/24,/16,/8

Results:

 19 Captured ARP Req/Rep packets, from 9 hosts.   Total size: 1140
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname
 -----------------------------------------------------------------------------
 192.168.0.1     f4:f5:e8:70:51:7b     10     600  Google, Inc.
 192.168.0.100   f4:6d:04:21:09:62      1      60  ASUSTek COMPUTER INC.
 192.168.0.120   00:1b:a9:46:c1:b3      1      60  Brother industries, LTD.
 192.168.0.141   50:46:5d:67:32:88      1      60  ASUSTek COMPUTER INC.
 192.168.0.210   70:85:c2:83:26:33      1      60  ASRock Incorporation
 192.168.0.229   00:0c:29:fb:94:f9      1      60  VMware, Inc.
 192.168.0.247   c0:c1:c0:b8:de:63      1      60  Cisco-Linksys, LLC
 192.168.0.222   f0:ef:86:0b:0e:58      2     120  Google, Inc.
 192.168.0.214   d8:e0:e1:9d:7b:f7      1      60  Samsung Electronics Co.,Ltd

Syntax: arp-scan -l # l, localnet: generate address from local network config

Results:

Interface: eth0, type: EN10MB, MAC: 08:00:27:5c:65:26, IPv4: 192.168.0.203
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.0.1     f4:f5:e8:70:51:7b       Google, Inc.
192.168.0.100   f4:6d:04:21:09:62       ASUSTek COMPUTER INC.
192.168.0.120   00:1b:a9:46:c1:b3       Brother industries, LTD.
192.168.0.141   50:46:5d:67:32:88       ASUSTek COMPUTER INC.
192.168.0.210   70:85:c2:83:26:33       ASRock Incorporation
192.168.0.229   00:0c:29:fb:94:f9       VMware, Inc.
192.168.0.247   c0:c1:c0:b8:de:63       Cisco-Linksys, LLC
192.168.0.222   f0:ef:86:0b:0e:58       Google, Inc.
192.168.0.214   d8:e0:e1:9d:7b:f7       Samsung Electronics Co.,Ltd (DUP: 1)

Simple sweep of a network for a quick look at what machines are out there (and respond):

for i in {1..254}
do
    ping -w 5 -c 1 192.168.0.$i | grep "64 bytes" | cut -d " " -f 4 | tr -d ":" &
done

wait # no args, wait until all background processes to finish

Note the “&” at the end. This will speed things up a lot.

See here.

Fast port scanner by Robert David Graham

Syntax:

masscan -p1-65535 192.168.0.229

Speed it up with the rate option:

masscan -p1-65535 --rate 1000 192.168.0.229
# Similar to: nmap -T4 -p- 192.168.0.229

Extended Syntax (for HTB):

masscan 10.10.10.4 -p1-65535,U:1-65535 --rate=1000 -e tun0
# -p1-65535,U:1-65535 # scan all TCP/UDP ports
# --rate=1000         # scan rate = 1000 packets per second
# -e tun0             # listen on the VPN network interface for responses

http://www.0daysecurity.com/penetration-testing/enumeration.html

File Extensions for Windows (IIS)

• asm,asmx,asp,aspx
• asm,asmx,asp,aspx,txt,zip,rar,bak (the longer the list, the longer it will take).

File Extensions for Linux (Apache)

• php, sh, js, html, py

DAVTest tests WebDAV enabled servers by uploading test executable files, and then (optionally) uploading files which allow for command execution or other actions directly on the target. It is meant for penetration testers to quickly and easily determine if enabled DAV services are exploitable.

• https://tools.kali.org/web-applications/davtirBusterest
• Syntax:

davtest -url <url> [options]
# To see the options just type davtest

Enum4linux is a tool used to enumerate SMB shares on both Windows and Linux systems.

Syntax:

enum4linux [options] ip

Options:

Kerberos scanning (initial enumeration): use tools like Kerbrute and Rubeus.

This is a local search tool on your machine. All the exploits on exploit-db.com are on your machine and searchable.

• When you search, don't be too specific. You won't get any results.
• Be more general to get results you and filter and vet.
• Note: In the path, some say “remote” and some say “local.”

linux/local/46676.php
linux/remote/34.pl

• “Local” means you have to execute locally (from the target machine).
• “Remote” is a remote exploit (from attack machine)

Nessus is a paid-for product. They have a freebie version, but it comes with a butt-ton of restrictions that make it less than optimal for professional pentesting. Use OpenVAS…

To install OpenVAS on a Kali box:

apt update
apt install openvas openvas-scanner gvm gvmd -y

Note: gvm stands for Greenbone Vulnerability Management. It's just another name for OpenVAS.

Once you get the above installed, run this and fix what it tells you to fix how it tells you to fix it:

systemctl start redis-server@openvas.service
gvm-check-setup

If you fix something, run the gvm-check-setup again. Lather. Rinse. Repeat… until everything is shiny and clean.

PostgreSQL Error: If you get the following error (and the actual version numbers don't matter; you just have two and the script wants the latter but your system is configured to use the former):

ERROR: The default postgresql version is not the one used for gvmd compilation: (14, need 15).
FIX: Please use pg_upgradecluster to upgrade your postgresql installation

This happens because when PostgreSQL was installed (the first version number), it was assigned PostgreSQL's default port number (5432). When the next version was installed, it got a different port number because 5432 was already taken (it's probably 5433). You can check it with this (replace “14” and “15” with your numbers):

cat /etc/postgresql/14/main/postgresql.conf | grep -n "port ="
# Result:
# 64:port = 5432                   # (change requires restart)

cat /etc/postgresql/15/main/postgresql.conf | grep -n "port ="
# Result:
# 64:port = 5433                   # (change requires restart)

The latter version of PostgreSQL needs the default port. So, change the value of port = in the later version's postgresql.conf to 5432 and change the port = in the earlier version's postgresql.conf to be whatever you want (I just swapped mine).

Then restart PostgreSQL: systemctl restart postgresql

Continue with gvm-check-setup.

Service Failure Error: If you get an error like this…

Job for ospd-openvas.service failed because the control process exited with error code.

This is happening because of permission issue in openvas logs. Fix:

chmod 666 /var/log/gvm/openvas.log

# The run your check again: 
gvm-check-setup

# If that goes well, you may need to stop gvm:
gvm-stop

# And then start gvm, and everything should be fine:
gvm-start

Once it's finished and happy and error free, you run OpenVAS with:

gvm-start

Then, if a web page doesn't open auto-magically, plug this into the browser: https://localhost:9392