Offensive penetration testing

Aim of this repository is to present and simulate multiple attack types against web applications and various OSes, including Microsoft Windows.

---

About

NOTE: Applying and carrying out the practices described below can be considered as a criminal act. Instructions described on this website have been carried out in a precisely limited scope/environment, in accordance with the terms of use, and accepted by all relevant parties beforehand without affecting outside parties. The hostile practices defined here are not directed to any innocent third parties.

Before utilizing these instructions in your environment, make sure that your actions will be legal and authorized, carried out in a limited scope and with transparency so that every affected party is aware of your actions and accepted them in full scale beforehand. In addition, any affected party must know consequences and risks involved in your actions.

DISCLAIMER: Author of the instructions neither encourage or take responsibility of any misuse or criminal actions which are based on the instructions below!

---

This repository...

• ...utilizes OWASP top 10 list of the most common attack types

• ...utilizes multiple penetration methods with various tools, including Kali Linux and Metasploit Framework

The repository is mainly set up as a requirement by a school cource in Haaga-Helia University of Applied Sciences, Helsinki, Finland. It contains various exercises, translated to English.

Table of Contents

• Exercise 1 - OWASP Top 10, OWASP WebGoat

• Exercise 2 - HackTheBox Environment, Nmap (port scanning), Metasploit Framework, OWASP WebGoat

• Exercise 3 - Vulnerability Scanners (passwords, directories, ports etc.), Source Code Analysis of a Malicious Program, Authentication Bypass

• Exercise 4 - CTF Hacking Challenges, Stuxnet

• Exercise 5 - Trojan Horse (docx, pdf, GZDoom), Conficker Worm, Security Blogs/Articles, DHCP Starvation Attack (Denial of Service)

• Exercise 6 - Android Backdoor, Trojan Horse (SteamSetup.exe), OSINT Techniques

• Exercise 7 - Unicorn/Powershell Attack (docx), HTTP Server Hacking Challenge, Google Project Zero (Exploitation of Linux kernel vulnerability)

• Course feedback (in Finnish)

• BlackArch Linux - Personal configurations

• Iptables ruleset for a simple server

• Fake Apache server HTTP response codes

• Find old package versions at high risk on Arch Linux using updated CVE data

Other contents

Linux backdoor

• Create backdoor for Linux victim machine(s). Does not require server environment, applies to Linux clients, too. Requires social engineering tactics.

BlackArch Linux - Personal configurations

• OWASP WebGoat - Install OWASP WebGoat as a systemd user service

• OWASP Zed Attack Proxy - Install OWASP ZAP as a systemd user service

• MATE Desktop/myGtkMenu - Convert BlackArch Openbox penetration tool menu entries into myGtkMenu compliant format, use these entries with myGtkMenu

---

Iptables ruleset for a simple server

Iptables firewall ruleset featuring the following:

1. Do not respond to ping echoes by clients (possibly reduce spambots)

2. Reject connection if too intense attempts. Useful against port scanners such as Nmap and other brute force scanners such as Dirbuster.

3. Drop all incoming connections, apply only SSH, HTTP and HTTPS

• [File] iptables.rules / Fincer - Linux server setup

---

Fake Apache server HTTP response codes

• [Patch] Apache - Manipulate standard HTTP header response codes

  • Manipulate HTTP header response codes returned to a client by Apache HTTP server.

1. Server HTTP response codes in range 402-451 are returned as error code 400 response instead.

2. Server HTTP response codes in range 500-511 are returned as error code 400 response instead.

3. Server HTTP response codes in range 100-308 are returned normally, including 200 OK message.

• [Patch] Apache - Remove default HTML error message from all error pages

  • Remove default error pages returned by an erroneous HTTP client request.

  • Remove additional HTML error messages as well (such as ones generated by servers behind an Apache proxy, if ProxyErrorOverride On directive is used)

NOTE: These are experimental patches for Apache HTTP web server, use with caution. Feel free to modify them! The server configuration can easily break because we break very deep standards here, just be aware and proceed with care! Thanks!

NOTE: This patchset is useful in some cases but it can bury underneath problems in server configuration. Thus, use discretion before implementing the patches in your Apache server.

NOTE: Apache will complain about missing error codes after you have applied this patchset and if you have custom error redirections in your .htaccess or in other settings. This is why you need to adjust your custom ErrorDocument directives and equivalent settings (RewriteRules, for instance) in your VirtualHost/Page configuration file (/etc/{apache2,httpd}/sites-available/*.conf).

---

Find old package versions at high risk on Arch Linux using updated CVE data

[Bash script] archrisks.sh - Fincer/archtools

Check packages on your system and find out number of potential CVE issues and evaluate generic risk of an outdated package on your Arch Linux system. Does not give detailed information, just a basic summary. Do further analysis for any package if needed on Arch security database and using regular CVE databases

• Requires Arch Linux (core dependencies are: pacman and arch-audit, bc and bash version 4 or higher)

• Simple bash shell script

• CVE security information from Arch security database

• NOTE sudo is required for package database updates retrieved by pacman. If in doubt, you can always check the script yourself (link here).

---

Attack principle - unauthorized access to private intranet

In this demonstration, I fired up a network environment with 1x Raspberry Pi, 1x strictly firewalled DD-WRT router, 1x physical computer & 1x virtual machine. Router established a LAN network for Raspberry Pi, whereas its WAN interface was connected to the physical computer, demonstrating common internet connection. Attack machine ran virtually inside the physical computer, with virtual network interface. Proper iptables & routing policy was applied both to the router and the physical computer, as seen in the image below.

Sorry for this messy image: Just follow the numbers, and you may get the whole idea. This screenshot bundle is directly related to the first image above.

As we can learn, human is the weakest factor here. If your users do not follow strict network policy, this scenario is possible. For attack purposes, I used basic TCP/443 (HTTPS) & TCP/80 (HTTP) ports in payloads, and these ports were used to establish outgoing connection to my rogue Metasploit reverse shell process. Basically, it is very difficult to block this connection type if you allow users to access basic HTTP(S)-based websites from intranet.

---

Real life case - infected Arch Linux KVM hypervisor host

Please see Real life case: Hostile Linux rootkit on my system. How did I get infected by a real Linux rootkit first time in my life? for details.

---

Disclaimer

Author of this repository is not responsible for any possible illegal or malicious usage of any files or instructions provided by this repository. The repository is provided as an act of good will and does not intend to encourage users to participate in any illegal activities. All exercises presented in this repository have been carried out in a pre-configured test environment, minimizing any possible attack vectors or unintended harm to outside parties.

---

About this repository (update, 14th August 2020)

Further development of this repository has been mainly halted. Additional + extended penetration testing, security testing & research is being done on a private repository for now. This policy may or may not change in the future.