Scribd
Upload
477 views38 pages

Cyber Kill Chain Overview for Hackers

presentation of how it works

Uploaded by

max13qafarov
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
477 views38 pages

Cyber Kill Chain Overview for Hackers

presentation of how it works

Uploaded by

max13qafarov
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd

Hacking Machines

101

Furkan ÖZER
July 2023

1
About
• Yıldız Technical University – Computer Engineering

• Red Team Operator – 2016

• Forestall – Co-Founder – 2020

• LockedShields – Green Team Member - 2019

• CS RANGER, OSCP, OSCE, CRTP, CARTP, AWS CSAA

• frknozr.github.io / forestall.io/blog

• Twitter/Github/Gitlab - frknozr

• Borabay, Invoke-Ulubat, Kangal

2
Intro
• Hacking

○ to gain illegal access to (a computer network, system, etc.)

○ a usually creatively improvised solution to a computer hardware or programming problem or limitation

○ a clever tip or technique for doing or improving something

○ using a process, object, or technology in ways it wasn't initially made for

• Machine (in cyber security context)

○ refers to computers, servers, network device, or even specific types of digital machines like ATMs, POS, or
voting machines

3
How do we start?
• What is the target?
○ Is it laptop, server, firewall or atm?

• How can I access the target?


○ Can I access it through the Internet?
○ Can I access it physically?
○ Are we using the same Wi-Fi network?

• What is the target Operating System?


○ Windows, Linux, BSD etc?

• Which ports are accessible on the target?

• Which program/services running on the target?


• Web service, File sharing etc?

4
Reconnaissance

5
Reconnaissance/Information
Gathering/Enumeration
• First, we need to gather the necessary info about the target, to answer questions before

○ Passive information gathering

○ Active information gathering

• Active Info. Gathering

○ Gathering information with establishing a different kind of connections with the target

○ Network scanning, Vulnerability Scanning

• Passive Info. Gathering

○ Gathering as much information as possible without establishing contact to the target

○ Social Media, Third-Party Scanners, Search Engines

6
Active Information Gathering
• Manual methods and various automated tools can be used for active information gathering.

• Nmap ("Network Mapper") is a free and open source command-line tool for network discovery and security auditing

• Nmap is useful for

○ Identifying active hosts

○ Scanning open/closed ports

○ Identifying services and versions

○ Identifying operating systems

○ Detecting vulnerabilities

○ Firewall / IDS evasion

7
Lab Setup

8
Active Information Gathering
# Identifying our IP address and network range
$> ifconfig

9
Active Information Gathering
# Scanning network with nmap to find active hosts
$> nmap 192.168.231.0/24

10
Active Information Gathering
# Scanning target with nmap
# -Pn -> Disable host discovery. Port scan only.
# -v -> Enable verbose mode
# -sT -> TCP connect port scan
# -sV -> Attempts to determine the version of the service running on port
# -p- -> Scan all ports
$> nmap -Pn -v -sT -sV -p- 192.168.231.168

11
How can we use this info?

12
Vulnerability Assessment

13
Vulnerability Assessment
• Vulnerability

○ a weakness in an IT system that can be exploited by an attacker to deliver a successful attack

• CVE (Common Vulnerabilities and Exposures)

○ Common Vulnerabilities and Exposures system provides a reference method for publicly known information-security vulnerabilities
and exposures.

• We need to identify vulnerabilities on these ports/services

○ Commercial tools (Nessus, Nexpose, GreenBone, Netsparker etc)

○ Open Source Vulnerability Scanners (OpenVas, Nmap NSE etc)

○ Vulnerability Databases (exploit.db, attackerkb.com, cvedetails.com etc)

○ Manual methods

14
Vulnerability Assessment – Apache Tomcat
# Enumerating Apache Tomcat
nmap -Pn -sT -A -p 8080 192.168.231.168

15
Metasploit
• Metasploit is a powerful and widely used open-source tool for penetration testing and cybersecurity research.

• The framework includes various tools, ready-made exploits, and payload options to discover, exploit, and verify
vulnerabilities.

• Metasploit also provides the infrastructure to establish a command and control channel over a target system.

16
Vulnerability Assessment – Apache Tomcat
Default Username and Password Usage on Apache Tomcat

17
Exploitation

18
Exploitation
• Exploit

○ is a method, program, or piece of code, designed to find and take advantage of a security vulnerability in an application or
computer system

• After we find the vulnerable service/input etc, we can use the suitable exploit for different purposes

○ Executing code on the system (Remote Code Execution)

○ Retrieving application database (Data Exfiltration)

○ Blocking the access (Denial of Service)

○ Impersonation or takeover accounts (Account Takeover)

○ Modifying or destructing the data (Defacement / Data Destruction)

19
Exploitation – Apache Tomcat

20
Exploitation – Apache Tomcat

21
Vulnerability Assessment – Web Server
# Enumerating Web Server
nmap -Pn -sT -A -p 80 192.168.231.168

22
Vulnerability Assessment – Web Server

23
Vulnerability Assessment – Web Server

24
Exploitation – Web Server
Command Injection on PHPMoAdmin

curl "http://192.168.231.168/mongoadmin/" -d "object=1;system('whoami');exit"

25
Nikto
• Nikto is a free software command-line vulnerability scanner that scans web servers for dangerous files/CGIs, outdated
server software and other vulnerabilities.

• We can quickly use Nikto for basic security checks

# Running Nikto
nikto -h http://192.168.231.168

26
Vulnerability Assessment – Web Server
ShellShock Vulnerability

27
Vulnerability Assessment – Web Server

28
Exploitation – Web Server
ShellShock Vulnerability

29
What do we do now?
• We gained access on the target with several ways

• But what is our next step?

30
Privilege Escalation

31
Privilege Escalation

32
Privilege Escalation

33
Privilege Escalation

34
Privilege Escalation

35
Cyber Kill Chain

36
Mitre ATT&CK Matrix

37
Free Labs
• Hack the Box (https://app.hackthebox.com/)

• Try Hack Me (https://tryhackme.com/)

• VulnHub (https://www.vulnhub.com/)

38

You might also like