INFRASTRUCTURE PEN TESTING

By Null Bhubaneswar
 SETTING THE EXPECTATION RIGHT!!!

• What are private ip address?

• 10.0.0.0 – 10.255.255.255 10.0.0.0/8 (255.0.0.0)
• 172.16.0.0 – 172.31.255.255 172.16.0.0/12 (255.240.0.0)
• 192.168.0.0 – 192.168.255.255 192.168.0.0/16 (255.255.0.0)
• What about 127.0.0.1?
• 169.254. x.y?
• What about 169.254.169.254? $
 DIFFERENT TYPES OF INFRA PENTEST

• External infra pentest

• WebApp ++
• Internal infra
• CORP infra pentest
• Segmentation test
• PCI Pentest
• Cloud infra test
• Hybrid infra test
 WHAT CAN WE GET TO START INFRA
PENTEST?

• IP/Range of Ips or sometime hosts

 WEB ++

• Scope is limited to web ports only. So generally SSL scan is done.

• https://hackertarget.com/ssl-check/ D

• Sslscan xyz.com D
 INITIAL ACCESS

• Generally web app is the pathway to initial access.

• Lets learn some tools, techniques and trades.
• In kali install dvwa:
• sudo apt update
• sudo apt install dvwa

• dvwa-start
• dvwa-stop
 TOOLS/TECHNIQUES AND TRADES

• File/ dir enum using dirbuster.

• http://10.10.69.226/setup.php
• Guessed password
• Admin:password (Set Seccurity to low)
• Bruteforce using burp
• cat /usr/share/john/password.lst | more (copy first 20 passwords save and run)
• File inclusion using burp
• https://raw.githubusercontent.com/emadshanab/LFI-Payload-List/master/LFI%20payloads.txt
(use first 10)
• Why /etc/passwd is important? $
 TOOLS/TECHNIQUES AND TRADES 2

• RCE using burp

• Why this works in web but not using burp? $
• ip=127.0.0.1&whoami&Submit=Submit
• Reverse shell
• https://www.revshells.com/
• Check ifconfig and run commands
• nc –lvnp 9001
• Use nc rm command
 DIFFERENT USER TYPES

• Web server user

• User
• Root/Admin or high privilege user
 PCI PENTEST USECASE

• How will one test PCI assets?

 SSH

• Create ssh keys

• ssh-keygen
• Public key is used to share with others for access.
• Private key means direct access.
• Share public key
• sudo systemctl start ssh
• Create authorized_keys in .ssh and paste the public key
• Chmod 600 ~/.ssh/authorized_keys
• ssh targetusername@targetip
 KEY BASED AUTH

• We found a ssh private key but it is passphrase protected. How to solve it?
• Crack it using john
• ssh2john Desktop/id_rsa > id_rsa.hash
• john --wordlist=Desktop/pass.txt id_rsa.hash
• Now login using private key and passphrase.
• What if I am running a command and my ssh session closed. How to solve this
issue? $
 TMUX

• Tmux is a terminal multiplexer; it allows you to create several "pseudo

terminals" from a single terminal D
• https://tmuxcheatsheet.com/
• https://www.hamvocke.com/blog/a-quick-and-easy-guide-to-tmux/
 NMAP

• Nmap –help
• Check live host: nmap -sn 192.168.0.1/24 (Ping sweep)
• nmap -T4 192.168.0.1 (What will this do?) $
• nmap -T4 -p- 192.168.0.1 (What will this do?) $
• Indepth scan: nmap -T4 -A -p 80,443 192.168.0.1
• In case no TCP open: sudo nmap -sU -sC -Pn --top-ports 20 10.10.10.116
• When ping is blocked: nmap -sT -Pn -p- -n 10.11.1.10
• To find vulnerability: nmap --script vuln -p139,445 10.11.1.227
• In CTF and bugbounty: nmap –sC –sV –Pn 192.168.0.1
 1ST BOX

• https://tryhackme.com/r/room/brooklynninenine
 2ND BOX

• https://tryhackme.com/r/room/ignite
 CTF CHALLENGE

• https://tryhackme.com/r/room/source
• Solve this without Metasploit ($)
• Solve this using burp ($$$)
 THINGS TO REMEMBER

• Always note own the source and scope with timing when performing scans.
• Always double check the scope before testing.
• Try to avoid tools like Metasploit.
• Do not trust any exploit code blindly, it might have backdoor.
• Practice more and learn more.
• Free certification: https://itmasters.edu.au/short-courses/pen-testing/
• Free training: https://www.youtube.com/watch?v=fNzpcB7ODxQ
 Q/A

osintguy@gmail.com

@TheOsintGuy